GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-01 23:13:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE3O 465,76GB Running: kkn7pg6p.exe; Driver: C:\Users\Browar\AppData\Local\Temp\ufdiipob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\Dwm.exe[1608] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefce332f0 7 bytes JMP 000007fefce200d8 .text C:\Windows\system32\Dwm.exe[1608] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefce3aa60 5 bytes JMP 000007fefce20180 .text C:\Windows\system32\Dwm.exe[1608] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefce3ac00 5 bytes JMP 000007fefce20110 .text C:\Windows\system32\Dwm.exe[1608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefce49ac0 5 bytes JMP 000007fefce20148 .text C:\Windows\system32\Dwm.exe[1608] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefdf28830 8 bytes JMP 000007fefce201f0 .text C:\Windows\system32\Dwm.exe[1608] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefdf2b9e0 8 bytes JMP 000007fefce201b8 .text C:\Windows\system32\Dwm.exe[1608] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef886dc88 5 bytes JMP 000007fef88400d8 .text C:\Windows\system32\Dwm.exe[1608] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef886de10 5 bytes JMP 000007fef8840110 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2392] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 0000000075811eee 7 bytes JMP 0000000062f45200 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2392] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 0000000075815b85 7 bytes JMP 0000000062f45840 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2392] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075821409 7 bytes JMP 0000000062f45450 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2392] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 000000007582ea5d 7 bytes JMP 0000000062f451f0 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2392] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000758b90c4 7 bytes JMP 0000000062f44820 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2392] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 00000000758b9149 5 bytes JMP 0000000062f44a00 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2392] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 00000000758b949f 5 bytes JMP 0000000062f44830 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2808] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075d82bdc 5 bytes JMP 0000000000ed8c60 .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e41401 2 bytes JMP 7583b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e41419 2 bytes JMP 7583b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e41431 2 bytes JMP 758b9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e4144a 2 bytes CALL 75814885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e414dd 2 bytes JMP 758b8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e414f5 2 bytes JMP 758b8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e4150d 2 bytes JMP 758b8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e41525 2 bytes JMP 758b8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e4153d 2 bytes JMP 7582fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e41555 2 bytes JMP 75836907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e4156d 2 bytes JMP 758b9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e41585 2 bytes JMP 758b8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e4159d 2 bytes JMP 758b88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e415b5 2 bytes JMP 7582fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e415cd 2 bytes JMP 7583b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e416b2 2 bytes JMP 758b90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe[3644] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e416bd 2 bytes JMP 758b8891 C:\Windows\syswow64\kernel32.dll .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075811eee 7 bytes JMP 0000000062f45200 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075815b85 7 bytes JMP 0000000062f45840 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075821409 7 bytes JMP 0000000062f45450 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007582ea5d 7 bytes JMP 0000000062f451f0 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000758b90c4 7 bytes JMP 0000000062f44820 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000758b9149 5 bytes JMP 0000000062f44a00 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000758b949f 5 bytes JMP 0000000062f44830 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075d81e4c 5 bytes JMP 0000000062f44740 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075d81efa 5 bytes JMP 0000000062f44650 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075d82bdc 5 bytes JMP 0000000062f44a10 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075d82e7e 5 bytes JMP 0000000062f44340 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000751fe74f 5 bytes JMP 0000000062f43910 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000751fe989 5 bytes JMP 0000000062f43920 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000074e95645 5 bytes JMP 0000000062f442d0 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000074eaf631 5 bytes JMP 0000000062f44330 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000074ed0867 5 bytes JMP 0000000062f43600 .text C:\Users\Browar\Desktop\kkn7pg6p.exe[4284] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000074ee7af4 5 bytes JMP 0000000062f442a0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{5DF32AB3-4789-41DF-A9D4-D0B1ECEFF8D1}\Connection@Name isatap.{F45F85EA-E938-43CD-B9A4-51673CDC5B39} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{F7F43F06-23BB-4B1F-9A71-61F57B6664DC}?\Device\{5DF32AB3-4789-41DF-A9D4-D0B1ECEFF8D1}?\Device\{9D89F15E-45D9-4D50-A54B-C080A8DC3423}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{F7F43F06-23BB-4B1F-9A71-61F57B6664DC}"?"{5DF32AB3-4789-41DF-A9D4-D0B1ECEFF8D1}"?"{9D89F15E-45D9-4D50-A54B-C080A8DC3423}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{F7F43F06-23BB-4B1F-9A71-61F57B6664DC}?\Device\TCPIP6TUNNEL_{5DF32AB3-4789-41DF-A9D4-D0B1ECEFF8D1}?\Device\TCPIP6TUNNEL_{9D89F15E-45D9-4D50-A54B-C080A8DC3423}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f74218 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f74218@382dd1d9c15c 0x5D 0x2D 0x5F 0x94 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{5DF32AB3-4789-41DF-A9D4-D0B1ECEFF8D1}@InterfaceName isatap.{F45F85EA-E938-43CD-B9A4-51673CDC5B39} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{5DF32AB3-4789-41DF-A9D4-D0B1ECEFF8D1}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f74218 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f74218@382dd1d9c15c 0x5D 0x2D 0x5F 0x94 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.2 ----