GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2017-02-12 14:13:47
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000029 WDC_WD3200BPVT-60JJ5T0 rev.01.01A01 298,09GB
Running: gm_271udh8y.exe; Driver: C:\Users\Organeo\AppData\Local\Temp\awldrkoc.sys


---- User code sections - GMER 2.2 ----

?        C:\WINDOWS\SYSTEM32\dbgcore.DLL [6416] entry point in ".rdata" section                           000000007398c940
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable  00007ff8600507e0 5 bytes JMP 00007ff856543c80
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDecompressBuffer          00007ff8600adec0 5 bytes JMP 00007ff8565432e0
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationProcess    00007ff8600c63e0 5 bytes JMP 00007ff856543420
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection           00007ff8600c65c0 5 bytes JMP 00007ff856542de0
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory         00007ff8600c6800 5 bytes JMP 00007ff856542c50
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent                  00007ff8600c68c0 5 bytes JMP 00007ff856543620
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent                00007ff8600c69c0 5 bytes JMP 00007ff8565435a0
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeThread               00007ff8600c6b00 5 bytes JMP 00007ff856543010
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant               00007ff8600c75d0 5 bytes JMP 00007ff856543680
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore            00007ff8600c7730 5 bytes JMP 00007ff856543760
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateUserProcess          00007ff8600c7850 5 bytes JMP 00007ff856543180
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant                 00007ff8600c8350 5 bytes JMP 00007ff856543700
.text    C:\WINDOWS\system32\AUDIODG.EXE[8976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore              00007ff8600c8430 5 bytes JMP 00007ff8565437e0
?        C:\WINDOWS\system32\apphelp.dll [868] entry point in ".rdata" section                            00000000685af7c0

---- Threads - GMER 2.2 ----

Thread   C:\WINDOWS\system32\csrss.exe [1004:1108]                                                        ffff920e20936c20
Thread   C:\WINDOWS\system32\svchost.exe [1032:1792]                                                      00007ff850aae830
Thread   C:\WINDOWS\system32\svchost.exe [1032:1820]                                                      00007ff850a210a0
Thread   C:\WINDOWS\system32\svchost.exe [1032:2120]                                                      00007ff8557d2cf0
Thread   C:\WINDOWS\system32\svchost.exe [1032:2340]                                                      00007ff84fd05bd0
Thread   C:\WINDOWS\system32\svchost.exe [1032:2360]                                                      00007ff84fd09b20
Thread   C:\WINDOWS\system32\svchost.exe [1032:2368]                                                      00007ff8557d2cf0
Thread   C:\WINDOWS\system32\svchost.exe [1988:2068]                                                      00007ff8503744b0
Thread   C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2824:3512]        0000000074047ea0
Thread   C:\WINDOWS\system32\svchost.exe [2856:6948]                                                      00007ff85148b180
Thread   C:\WINDOWS\system32\svchost.exe [2856:6976]                                                      00007ff85148f5f0
Thread   C:\WINDOWS\system32\svchost.exe [3264:4308]                                                      00007ff8480a5bc0
Thread   C:\WINDOWS\system32\svchost.exe [3264:4316]                                                      00007ff848082740
Thread   C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2284:6032]       000000007176ff83
Thread   C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2284:5468]       000000007176ff83
Thread   C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2284:5464]       0000000071766447
Thread   C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4364:5452]                        00007ff846751b50

---- Services - GMER 2.2 ----

Service  C:\WINDOWS\system32\drivers\mbae64.sys (*** hidden *** )                                         [SYSTEM] ESProtectionDriver                     <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\drivers\MBAMChameleon.sys (*** hidden *** )                                  [AUTO] MBAMChameleon                            <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\drivers\farflt.sys (*** hidden *** )                                         [MANUAL] MBAMFarflt                             <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\drivers\mbam.sys (*** hidden *** )                                           [MANUAL] MBAMProtection                         <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys (*** hidden *** )                                  [MANUAL] MBAMSwissArmy                          <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\drivers\mwac.sys (*** hidden *** )                                           [MANUAL] MBAMWebProtection                      <-- ROOTKIT !!!

---- Registry - GMER 2.2 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed                1190498388
Reg      HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw                                               0x64 0x62 0x03 0x00 ...
Reg      HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask                                           0x64 0x62 0x03 0x00 ...

---- EOF - GMER 2.2 ----