GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-14 09:50:36 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000066 ST1000LM rev.2BA3 931,51GB Running: i0cgcygs.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\pxldypog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754c1401 2 bytes JMP 774eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754c1419 2 bytes JMP 774eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754c1431 2 bytes JMP 77569149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754c144a 2 bytes CALL 774c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754c14dd 2 bytes JMP 77568a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754c14f5 2 bytes JMP 77568c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754c150d 2 bytes JMP 77568938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754c1525 2 bytes JMP 77568d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754c153d 2 bytes JMP 774dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754c1555 2 bytes JMP 774e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754c156d 2 bytes JMP 77569201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754c1585 2 bytes JMP 77568d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754c159d 2 bytes JMP 775688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754c15b5 2 bytes JMP 774dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754c15cd 2 bytes JMP 774eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754c16b2 2 bytes JMP 775690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[2176] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754c16bd 2 bytes JMP 77568891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754c1401 2 bytes JMP 774eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754c1419 2 bytes JMP 774eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754c1431 2 bytes JMP 77569149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754c144a 2 bytes CALL 774c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754c14dd 2 bytes JMP 77568a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754c14f5 2 bytes JMP 77568c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754c150d 2 bytes JMP 77568938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754c1525 2 bytes JMP 77568d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754c153d 2 bytes JMP 774dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754c1555 2 bytes JMP 774e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754c156d 2 bytes JMP 77569201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754c1585 2 bytes JMP 77568d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754c159d 2 bytes JMP 775688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754c15b5 2 bytes JMP 774dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754c15cd 2 bytes JMP 774eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754c16b2 2 bytes JMP 775690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754c16bd 2 bytes JMP 77568891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754c1401 2 bytes JMP 774eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754c1419 2 bytes JMP 774eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754c1431 2 bytes JMP 77569149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754c144a 2 bytes CALL 774c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754c14dd 2 bytes JMP 77568a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754c14f5 2 bytes JMP 77568c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754c150d 2 bytes JMP 77568938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754c1525 2 bytes JMP 77568d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754c153d 2 bytes JMP 774dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754c1555 2 bytes JMP 774e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754c156d 2 bytes JMP 77569201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754c1585 2 bytes JMP 77568d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754c159d 2 bytes JMP 775688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754c15b5 2 bytes JMP 774dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754c15cd 2 bytes JMP 774eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754c16b2 2 bytes JMP 775690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\watchdog_service.exe[4612] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754c16bd 2 bytes JMP 77568891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000754c1401 2 bytes JMP 774eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000754c1419 2 bytes JMP 774eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000754c1431 2 bytes JMP 77569149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000754c144a 2 bytes CALL 774c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754c14dd 2 bytes JMP 77568a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754c14f5 2 bytes JMP 77568c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000754c150d 2 bytes JMP 77568938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000754c1525 2 bytes JMP 77568d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000754c153d 2 bytes JMP 774dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000754c1555 2 bytes JMP 774e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000754c156d 2 bytes JMP 77569201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000754c1585 2 bytes JMP 77568d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000754c159d 2 bytes JMP 775688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754c15b5 2 bytes JMP 774dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754c15cd 2 bytes JMP 774eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754c16b2 2 bytes JMP 775690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Comarch\ComarchCryptoProvider\ComarchCryptoServer.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754c16bd 2 bytes JMP 77568891 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c038967ea51e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c038967ea51e@a0e453cfef6c 0xC3 0x30 0x2E 0x8F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c038967ea51e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c038967ea51e@a0e453cfef6c 0xC3 0x30 0x2E 0x8F ... ---- Files - GMER 2.2 ---- File C:\Users\Marcin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_064b27 0 bytes File C:\Users\Marcin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_064b53 37311 bytes File C:\Users\Marcin\AppData\Local\Google\Chrome\User Data\Default\Cache\f_064c16 0 bytes ---- EOF - GMER 2.2 ----