GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-05 20:13:20 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f TOSHIBA_MQ01ABD100 rev.AX0A4M 931,51GB Running: yq7td6tf.exe; Driver: C:\Users\Jeanne\AppData\Local\Temp\awldypog.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\atieclxx.exe[8912] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffad703169a 4 bytes [03, D7, FA, 7F] .text C:\Windows\system32\atieclxx.exe[8912] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffad70316a2 4 bytes [03, D7, FA, 7F] .text C:\Windows\system32\atieclxx.exe[8912] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffad703181a 4 bytes [03, D7, FA, 7F] .text C:\Windows\system32\atieclxx.exe[8912] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffad7031832 4 bytes [03, D7, FA, 7F] .text C:\Windows\Explorer.EXE[4476] C:\Windows\system32\WS2_32.dll!getpeername 00007ffad7aeef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Windows\Explorer.EXE[4476] C:\Windows\system32\WS2_32.dll!getsockname 00007ffad7af01b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Windows\Explorer.EXE[4476] C:\Windows\system32\WS2_32.dll!connect + 1 00007ffad7af07f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Windows\Explorer.EXE[4476] C:\Windows\system32\WS2_32.dll!WSAConnect 00007ffad7af69b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Windows\Explorer.EXE[4476] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffad703169a 4 bytes [03, D7, FA, 7F] .text C:\Windows\Explorer.EXE[4476] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffad70316a2 4 bytes [03, D7, FA, 7F] .text C:\Windows\Explorer.EXE[4476] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffad703181a 4 bytes [03, D7, FA, 7F] .text C:\Windows\Explorer.EXE[4476] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffad7031832 4 bytes [03, D7, FA, 7F] .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[3776] C:\Windows\system32\ws2_32.dll!getpeername 00007ffad7aeef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[3776] C:\Windows\system32\ws2_32.dll!getsockname 00007ffad7af01b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[3776] C:\Windows\system32\ws2_32.dll!connect + 1 00007ffad7af07f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[3776] C:\Windows\system32\ws2_32.dll!WSAConnect 00007ffad7af69b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[6000] C:\Windows\system32\ws2_32.dll!getpeername 00007ffad7aeef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[6000] C:\Windows\system32\ws2_32.dll!getsockname 00007ffad7af01b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[6000] C:\Windows\system32\ws2_32.dll!connect + 1 00007ffad7af07f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[6000] C:\Windows\system32\ws2_32.dll!WSAConnect 00007ffad7af69b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4256] C:\Windows\system32\ws2_32.dll!getpeername 00007ffad7aeef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4256] C:\Windows\system32\ws2_32.dll!getsockname 00007ffad7af01b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4256] C:\Windows\system32\ws2_32.dll!connect + 1 00007ffad7af07f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4256] C:\Windows\system32\ws2_32.dll!WSAConnect 00007ffad7af69b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[456] C:\Windows\system32\ws2_32.dll!getpeername 00007ffad7aeef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[456] C:\Windows\system32\ws2_32.dll!getsockname 00007ffad7af01b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[456] C:\Windows\system32\ws2_32.dll!connect + 1 00007ffad7af07f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[456] C:\Windows\system32\ws2_32.dll!WSAConnect 00007ffad7af69b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [8612:7236] fffff9600099ab90 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\aswOfferTool.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\avBugReport.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\AvDump32.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\AvDump64.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\HTMLayout.dll??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\Instup.dll??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\instup.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\aswOfferTool.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\avBugReport.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\AvDump32.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\AvDump64.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_110208f0\HTMLayout.dll??\??\C:\Program Files\AVAST Software\Avast\setup\ Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -359476723 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14859628626872280@SetupOperations ???#?????#?$?$?$?$?%?%?%?%?&?&???????????????:???#??????????????MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.148207916784314","\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js",TRUE)?MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.sum.148207916784314","\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.sum",TRUE)?MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\show_safeshop_toolbar.js.148207916784314","\??\c:\program files\avast software\avast\webrep\ie\templates\show_safeshop_toolbar.js",TRUE)?MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\show_safeshop_toolbar.js.sum.148207916784314","\??\c:\program files\avast software\avast\webrep\ie\templates\show_safeshop_toolbar.js.sum",TRUE)?MoveFile("\??\c:\program files\avast software\avast\aswwebrepie.dll.148207916784314","\??\c:\program files\avast software\a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\303a6419d88f ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----