GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-03 19:58:37 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003d PLEXTOR_PX-256M6S rev.1.08 238,47GB Running: czgxe8hh.exe; Driver: C:\Users\Adashko\AppData\Local\Temp\fwtdrpod.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [2224] entry point in ".rdata" section 000000006f60c940 ? C:\WINDOWS\system32\apphelp.dll [2240] entry point in ".rdata" section 0000000073d8f7c0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2388] entry point in ".rdata" section 0000000067faa020 ? C:\WINDOWS\system32\ncryptsslp.dll [2388] entry point in ".rdata" section 0000000067f804f0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7908] entry point in ".rdata" section 0000000068941590 ? C:\Windows\System32\ActXPrxy.dll [7908] entry point in ".rdata" section 000000005b4a9c50 ? C:\WINDOWS\SYSTEM32\apphelp.dll [7908] entry point in ".rdata" section 0000000073d8f7c0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [8080] entry point in ".rdata" section 0000000067faa020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8080] entry point in ".rdata" section 0000000068941590 ? C:\WINDOWS\system32\apphelp.dll [8080] entry point in ".rdata" section 0000000073d8f7c0 ? C:\WINDOWS\system32\apphelp.dll [8280] entry point in ".rdata" section 0000000073d8f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9040] entry point in ".rdata" section 0000000068941590 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [9040] entry point in ".rdata" section 0000000067faa020 ? C:\WINDOWS\system32\ncryptsslp.dll [9040] entry point in ".rdata" section 0000000067f804f0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [1520] entry point in ".rdata" section 0000000067faa020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [1520] entry point in ".rdata" section 0000000068941590 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [10908] entry point in ".rdata" section 0000000067faa020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [10908] entry point in ".rdata" section 0000000068941590 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [11900] entry point in ".rdata" section 000000006f60c940 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [11588] entry point in ".rdata" section 000000006f60c940 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [11588] entry point in ".rdata" section 00000000713f8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [11588] entry point in ".rdata" section 0000000068941590 ? C:\WINDOWS\SYSTEM32\atlthunk.dll [11588] entry point in ".data" section 0000000066b94290 ? C:\Windows\System32\ActXPrxy.dll [11588] entry point in ".rdata" section 000000005b4a9c50 ? C:\WINDOWS\System32\apphelp.dll [11588] entry point in ".rdata" section 0000000073d8f7c0 ? C:\WINDOWS\system32\mssprxy.dll [11588] entry point in ".rdata" section 000000005b8ea650 ? C:\WINDOWS\system32\apphelp.dll [9508] entry point in ".rdata" section 0000000073d8f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [684:812] ffffdfac613a6c20 Thread C:\WINDOWS\system32\svchost.exe [924:348] 00007fffd2d4f950 Thread C:\WINDOWS\system32\svchost.exe [924:352] 00007fffd2d4ed20 Thread C:\WINDOWS\system32\svchost.exe [924:380] 00007fffd2b68ae0 Thread C:\WINDOWS\System32\svchost.exe [1036:2708] 00007fffca0b2af0 Thread C:\WINDOWS\System32\svchost.exe [1036:2712] 00007fffca0b2a40 Thread C:\WINDOWS\System32\svchost.exe [1036:4284] 00007fffca0afdf0 Thread C:\WINDOWS\System32\svchost.exe [1036:7244] 00007fffc1d3c990 Thread C:\WINDOWS\System32\svchost.exe [1036:7360] 00007fffc1d7f290 Thread C:\WINDOWS\System32\svchost.exe [1036:10100] 00007fffc9eb51d0 Thread C:\WINDOWS\System32\svchost.exe [1036:10104] 00007fffc9eb72d0 Thread C:\WINDOWS\System32\svchost.exe [1036:9156] 00007fffb3d35b60 Thread C:\WINDOWS\System32\svchost.exe [1036:9364] 00007fffca0a5c80 Thread C:\WINDOWS\system32\svchost.exe [1768:3100] 00007fffca135bd0 Thread C:\WINDOWS\system32\svchost.exe [1768:3208] 00007fffca139b20 Thread C:\WINDOWS\system32\svchost.exe [1904:1812] 00007fffcba644b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:2256] 000000000020416e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:3116] 0000000070d283a0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:3140] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:4036] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:4472] 0000000070cf4f50 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:5280] 0000000010032168 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:5808] 0000000005d5b2f7 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:5816] 0000000005d5b2f7 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:5820] 0000000005d5b2f7 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:5824] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:6996] 000000006f4fb960 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:8320] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:6544] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:7880] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:4528] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:9188] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:12052] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:3388] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:9900] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:1800] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:1476] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:4880] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:7648] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:1020] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:9684] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:2980] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:7624] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:7376] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:6328] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:10992] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:6204] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:3628] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:3632] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:4752] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:12000] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:3360] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:3572] 0000000070cf4920 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2252:11092] 0000000070cf4920 Thread [2312:2872] 0000000076577ea0 Thread [2740:2876] 0000000076577ea0 Thread C:\WINDOWS\System32\svchost.exe [3248:9736] 00007fffcc2ddbe0 Thread C:\WINDOWS\System32\svchost.exe [3248:7620] 00007fffcc2ddbe0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4268:4272] 0000000001378679 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4268:4404] 0000000001376500 Thread C:\WINDOWS\Explorer.EXE [4572:2528] 00007fffb8e1bb70 Thread C:\WINDOWS\Explorer.EXE [4572:3064] 00007fffadcb2510 Thread C:\WINDOWS\Explorer.EXE [4572:5720] 00007fffd1951ba0 Thread C:\WINDOWS\Explorer.EXE [4572:2568] 00007fffc4a65110 Thread C:\WINDOWS\Explorer.EXE [4572:10588] 00007fffc1ca36f0 Thread C:\Windows\WindowsMobile\wmdc.exe [7324:6596] 000000006f5f3804 Thread C:\Windows\WindowsMobile\wmdc.exe [7324:7428] 000000006f613368 Thread C:\WINDOWS\system32\svchost.exe [6124:3764] 000000006f51b5fc Thread C:\WINDOWS\system32\svchost.exe [6124:2772] 000000006f501760 Thread C:\WINDOWS\system32\svchost.exe [6124:7224] 000000006f5a8b1c Thread C:\WINDOWS\system32\svchost.exe [6124:7416] 000000006f5ac740 Thread C:\WINDOWS\system32\svchost.exe [6124:7424] 000000006f5b498c Thread C:\WINDOWS\system32\svchost.exe [6124:3500] 000000006f4d2234 Thread C:\WINDOWS\system32\svchost.exe [6124:3504] 000000006f540398 Thread C:\WINDOWS\system32\svchost.exe [6124:3508] 000000006f516394 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [9320:9324] 000000000041f0b0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5736:780] 00007fffbde00030 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5736:12276] 00007fffbde00030 Thread C:\WINDOWS\system32\DllHost.exe [5240:936] 00007fffcc2ddbe0 Thread C:\WINDOWS\system32\DllHost.exe [5240:10664] 00007fffcc2ddbe0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [384:6404] 0000000000d86cde Thread C:\WINDOWS\explorer.exe [10696:3364] 00007fffc1cb20e0 Thread C:\WINDOWS\explorer.exe [10696:3120] 00007fffc1cb20e0 Thread C:\WINDOWS\explorer.exe [10696:11208] 00007fffc1cb20e0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 570357512 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a7dda7103 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x04 0x23 0x89 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x04 0x8B 0x4D 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x04 0xBB 0xC4 0xC3 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE7CD045-E861-484F-8273-0445EE161910}\iexplore@Count 155 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@CloudSettingsDirtyMarks 337 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xFF 0x8F 0x76 0xE8 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds 308046B0AF4A39CB?{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Adobe\Acrobat DC\Acrobat\Acrobat.exe? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@308046B0AF4A39CB 0x8F 0x3C 0x4F 0x9B ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{AF3EA74D-09E5-4A50-8459-F58B9B2A9EAC} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{AF3EA74D-09E5-4A50-8459-F58B9B2A9EAC}@LastAccessedTime 0x50 0xB6 0x14 0x30 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{AF3EA74D-09E5-4A50-8459-F58B9B2A9EAC}@AppId {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\msconfig.exe Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{AF3EA74D-09E5-4A50-8459-F58B9B2A9EAC}@LaunchCount 1 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Users\Adashko\AppData\Local\Temp\WAX875C.tmp (size mismatch) 1654784/0 bytes executable File C:\Users\Adashko\AppData\Local\Temp\WAX9F9B.tmp (size mismatch) 1527808/0 bytes executable ---- EOF - GMER 2.2 ----