GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-06 14:30:45 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 HGST_HTS545050A7E380 rev.GG2OAC90 465,76GB Running: 80r0ubk7.exe; Driver: C:\Users\Ika\AppData\Local\Temp\axddqpog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff9600011a400 15 bytes [C0, 37, EE, 01, 40, A7, 69, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff9600011a410 11 bytes [00, 14, FC, FF, 00, 84, D5, ...] ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffdba7c3e10 7 bytes JMP 00007ffdb9590260 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffdba7c3e20 7 bytes JMP 00007ffdb9590298 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffdba8739b0 7 bytes JMP 00007ffdb9590340 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffdba873ef0 7 bytes JMP 00007ffdb95902d0 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffdba873fe0 7 bytes JMP 00007ffdb9590308 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffdba8a06c0 7 bytes JMP 00007ffdb95901f0 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffdba8a0730 7 bytes JMP 00007ffdb9590228 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffdb95d21d0 5 bytes JMP 00007ffdb9590180 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffdb95d29d0 7 bytes JMP 00007ffdb95900d8 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffdb95d4310 5 bytes JMP 00007ffdb9590110 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffdb95d8c40 5 bytes JMP 00007ffdb9590148 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffdb964eb80 5 bytes JMP 00007ffdb95901b8 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffdb9c96d80 10 bytes JMP 00007ffdb9590458 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffdb9ca7490 5 bytes JMP 00007ffdb95903e8 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffdb9ca7550 9 bytes JMP 00007ffdb9590378 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffdb9ca7720 5 bytes JMP 00007ffdb9590420 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffdb9cb6b00 5 bytes JMP 00007ffdb95903b0 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffdbab11500 1 byte JMP 00007ffdb9590490 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffdbab11502 6 bytes {JMP 0xfffffffffea7ef90} .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffdbab11750 8 bytes JMP 00007ffdb95904c8 ---- Registry - GMER 2.2 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5238e965-3f34-11e5-bf06-80a00c7266da} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5238e965-3f34-11e5-bf06-80a00c7266da}@Drive Type 1048593 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5238e965-3f34-11e5-bf06-80a00c7266da}@IsImapiDataBurnSupported 0 ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffdb73f7750 5 bytes JMP 00007ffdb73e00d8 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffdb73f8ee0 5 bytes JMP 00007ffdb73e0110 .text C:\WINDOWS\system32\dwm.exe[912] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory2 00007ffdb73fc650 5 bytes JMP 00007ffdb73e0148 ---- Registry - GMER 2.2 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{5238e965-3f34-11e5-bf06-80a00c7266da}@Active 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications@MobileBroadbandLastResetDate 0xE4 0x18 0x08 0xB3 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\Explorer.EXE[USER32.dll!EndPaint] [7ffda9671f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\Explorer.EXE[USER32.dll!DeferWindowPos] [7ffda9671da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\Explorer.EXE[USER32.dll!MoveWindow] [7ffda9671a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\Explorer.EXE[USER32.dll!SetWindowPos] [7ffda9671bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!DeferWindowPos] [7ffda9671da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!SetWindowPos] [7ffda9671bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!MoveWindow] [7ffda9671a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!EndPaint] [7ffda9671f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[USER32.dll!SetWindowPos] [7ffda9671bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\SYSTEM32\DUser.dll[USER32.dll!EndPaint] [7ffda9671f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\SYSTEM32\DUI70.dll[USER32.dll!MoveWindow] [7ffda9671a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\SYSTEM32\DUI70.dll[USER32.dll!SetWindowPos] [7ffda9671bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\SYSTEM32\TWINAPI.dll[USER32.dll!SetWindowPos] [7ffda9671bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\SYSTEM32\dxgi.dll[USER32.dll!SetWindowPos] [7ffda9671bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\system32\IMM32.DLL[USER32.dll!EndPaint] [7ffda9671f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\system32\IMM32.DLL[USER32.dll!SetWindowPos] [7ffda9671bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\system32\MSCTF.dll[USER32.dll!MoveWindow] [7ffda9671a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\system32\MSCTF.dll[USER32.dll!EndPaint] [7ffda9671f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\system32\MSCTF.dll[USER32.dll!SetWindowPos] [7ffda9671bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[USER32.dll!DeferWindowPos] [7ffda9671da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[USER32.dll!EndPaint] [7ffda9671f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[USER32.dll!MoveWindow] [7ffda9671a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[2488] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[USER32.dll!SetWindowPos] [7ffda9671bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll ---- Devices - GMER 2.2 ---- Device \Driver\semav6thermal64ro \Device\semav6thermal64ro fffff801595b3010 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [592:616] fffff960008972d0 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\InterHop\InterHop.exe (*** suspicious ***) @ C:\Program Files (x86)\InterHop\InterHop.exe [1924] 0000000001380000 Library C:\Program Files (x86)\Firefox\bin\FirefoxCommand.exe (*** suspicious ***) @ C:\Program Files (x86)\Firefox\bin\FirefoxCommand.exe [1960] 0000000000400000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1976555247 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c84dcf4e1c8 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 7186 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x96 0xE7 0x88 0xA6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x6A 0x86 0x7F 0x9D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x6A 0xDF 0xA1 0x0B ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5238e965-3f34-11e5-bf06-80a00c7266da} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5238e965-3f34-11e5-bf06-80a00c7266da}@Drive Type 1048593 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5238e965-3f34-11e5-bf06-80a00c7266da}@IsImapiDataBurnSupported 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{5238e965-3f34-11e5-bf06-80a00c7266da}@Active 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications@MobileBroadbandLastResetDate 0xE4 0x18 0x08 0xB3 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Users\Ika\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XMABNOVY5UV2RLM5WYC1.temp 7879 bytes File C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-648dc9de.exe (size mismatch) 7577600/0 bytes executable File C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-648dc9de.exe (size mismatch) 7577600/0 bytes executable ---- EOF - GMER 2.2 ----