GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-09 02:15:07 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003a WDC_WD10SPCX-24HWST1 rev.02.01A02 931,51GB Running: e83dtn75.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\kwndipod.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\SYSTEM32\NTASN1.dll [2840] entry point in ".rdata" section 000000006ac6a020 ? C:\Windows\system32\ncryptsslp.dll [2840] entry point in ".rdata" section 0000000067d304f0 ? C:\Windows\SYSTEM32\iertutil.dll [2908] entry point in ".rdata" section 0000000070ad1590 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8eb9965c0 16 bytes {MOV RAX, 0x7ff8d9867214; JMP RAX} ? C:\Windows\system32\apphelp.dll [10464] entry point in ".rdata" section 000000006913f7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[10804] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8a5c51ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6784] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8a5c51ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8240] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8a5c51ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[580] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8a5c51ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5852] @ C:\Windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8a5c51ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\SYSTEM32\ntdll.dll [2740:2744] 000000000029ebb6 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:3240] 0000000072f683a0 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:3352] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:3680] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6088] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:760] 00000000739bb960 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6644] 0000000072fbebf0 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6652] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6656] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6664] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6660] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6672] 0000000072f34f50 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6676] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6680] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6692] 000000006c7a0ee0 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:6228] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:2864] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2740:8940] 0000000072f34920 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:2756] 0000000000b30c9f Thread C:\Windows\SYSTEM32\ntdll.dll [2752:3924] 000000006efae660 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:3928] 000000006efae660 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:4412] 000000006efae660 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:4424] 000000006f152650 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:6220] 000000006e578e40 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:6180] 000000006e578e40 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:6212] 000000006e52d9c0 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:6208] 000000006e548560 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:6204] 000000006e546490 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:7320] 000000006d9487c0 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:7324] 000000006d9487c0 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:7328] 000000006d9487c0 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:7332] 000000006d946460 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:6392] 000000006e578e40 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:1208] 000000006e51d710 Thread C:\Windows\SYSTEM32\ntdll.dll [2752:5036] 000000006e51ddf0 ---- Services - GMER 2.2 ---- Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden *** ) [MANUAL] WinDefend <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SDC37520_00_07DE_51^71E5750D47079BEEECB0EF42E5FABF7B@Timestamp 0x7B 0x82 0x91 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1140272586 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\e4b318c6ea0c Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\e4b318c6ea0c@98e7f53fcc5d 0x37 0x63 0xEF 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8313 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile@EnableFirewall 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile@EnableFirewall 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52ac5d70-dfa0-4b2f-9eb5-bbf58aecbb23}@LeaseObtainedTime 1483914487 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52ac5d70-dfa0-4b2f-9eb5-bbf58aecbb23}@T1 1483957687 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52ac5d70-dfa0-4b2f-9eb5-bbf58aecbb23}@T2 1483990087 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52ac5d70-dfa0-4b2f-9eb5-bbf58aecbb23}@LeaseTerminatesTime 1484000887 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{52ac5d70-dfa0-4b2f-9eb5-bbf58aecbb23}@Dhcpv6State 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x38 0xF6 0x0A 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x38 0x5E 0xCF 0x98 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x38 0x8E 0x46 0xD5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Group _Early-Launch Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@ImagePath \SystemRoot\system32\drivers\WdBoot.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend ---- EOF - GMER 2.2 ----