GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-27 14:17:37 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001f rev. 0,00MB Running: m8cxgv6y.exe; Driver: C:\Users\Karolina\AppData\Local\Temp\pxrdypoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff9600011a200 15 bytes [00, 65, F4, 01, 80, 7D, 6A, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 17 fffff9600011a211 10 bytes [F3, FB, FF, 00, 17, C7, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\services.exe[816] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffa5690553d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[644] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffa5690553d 1 byte [62] .text C:\WINDOWS\Explorer.EXE[1556] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffa5690553d 1 byte [62] .text C:\WINDOWS\system32\SearchIndexer.exe[3256] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffa5690553d 1 byte [62] .text C:\WINDOWS\system32\AUDIODG.EXE[940] C:\WINDOWS\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffa5690553d 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [740:764] fffff96000944b90 Thread C:\WINDOWS\system32\svchost.exe [912:1020] 00007ffa543b1c74 Thread C:\WINDOWS\System32\svchost.exe [480:1140] 00007ffa50f51420 Thread C:\WINDOWS\System32\svchost.exe [480:1216] 00007ffa50611ed0 Thread C:\WINDOWS\System32\svchost.exe [480:1228] 00007ffa5059e840 Thread C:\WINDOWS\System32\svchost.exe [480:1232] 00007ffa504be160 Thread C:\WINDOWS\System32\svchost.exe [480:1284] 00007ffa4f4aed18 Thread C:\WINDOWS\System32\svchost.exe [480:1288] 00007ffa50514960 Thread C:\WINDOWS\System32\svchost.exe [480:2096] 00007ffa34286dd0 Thread C:\WINDOWS\System32\svchost.exe [480:3372] 00007ffa34284f30 Thread C:\WINDOWS\system32\svchost.exe [644:1628] 00007ffa4e1216fc Thread C:\WINDOWS\system32\svchost.exe [644:1632] 00007ffa4e001ee0 Thread C:\WINDOWS\system32\svchost.exe [644:2916] 00007ffa54993cbc Thread C:\WINDOWS\system32\svchost.exe [644:3144] 00007ffa4857c300 Thread C:\WINDOWS\system32\svchost.exe [644:3156] 00007ffa54993cbc Thread C:\WINDOWS\system32\svchost.exe [644:3172] 00007ffa4f571b40 Thread C:\WINDOWS\system32\svchost.exe [644:3960] 00007ffa4b795340 Thread C:\WINDOWS\system32\svchost.exe [644:4828] 00007ffa48a31e04 Thread C:\WINDOWS\system32\svchost.exe [644:4836] 00007ffa48a31e04 Thread C:\WINDOWS\system32\svchost.exe [644:4940] 00007ffa38f96cb4 Thread C:\WINDOWS\system32\svchost.exe [644:4948] 00007ffa4eae15a0 Thread C:\WINDOWS\system32\svchost.exe [644:4956] 00007ffa4eae15a0 Thread C:\WINDOWS\system32\svchost.exe [644:2888] 00007ffa45cb38e0 Thread C:\WINDOWS\system32\svchost.exe [644:7164] 00007ffa4e9810e0 Thread C:\WINDOWS\system32\svchost.exe [644:6060] 00007ffa48b87ac0 Thread C:\WINDOWS\system32\svchost.exe [828:1092] 00007ffa51493fd8 Thread C:\WINDOWS\system32\svchost.exe [828:1096] 00007ffa514a5920 Thread C:\WINDOWS\system32\svchost.exe [828:3424] 00007ffa474a0b50 Thread C:\WINDOWS\system32\svchost.exe [828:3428] 00007ffa4749c574 Thread C:\WINDOWS\system32\svchost.exe [828:3432] 00007ffa4749f55c Thread C:\WINDOWS\system32\svchost.exe [828:3436] 00007ffa474a1674 Thread C:\WINDOWS\system32\svchost.exe [828:3440] 00007ffa47497490 Thread C:\WINDOWS\system32\svchost.exe [828:3536] 00007ffa4749d5a0 Thread C:\WINDOWS\system32\svchost.exe [828:3568] 00007ffa470716b8 Thread C:\WINDOWS\system32\svchost.exe [828:1332] 00007ffa46fdab50 Thread C:\WINDOWS\system32\svchost.exe [828:2324] 00007ffa46fdaeb0 Thread C:\WINDOWS\System32\svchost.exe [1060:1280] 00007ffa4f486f04 Thread C:\WINDOWS\System32\svchost.exe [1060:1356] 00007ffa54993cbc Thread C:\WINDOWS\System32\svchost.exe [1060:1496] 00007ffa4bab149c Thread C:\WINDOWS\System32\svchost.exe [1060:1500] 00007ffa4bab2d90 Thread C:\WINDOWS\System32\svchost.exe [1060:3340] 00007ffa4ba936f8 Thread C:\WINDOWS\System32\svchost.exe [1060:6568] 00007ffa558bad30 Thread C:\WINDOWS\system32\svchost.exe [1220:260] 00007ffa4bb1d0f0 Thread C:\WINDOWS\system32\svchost.exe [1220:2708] 00007ffa4b795340 Thread C:\WINDOWS\system32\svchost.exe [1220:4912] 00007ffa4d4e4b30 Thread C:\WINDOWS\Explorer.EXE [1556:2772] 00007ffa4a841e40 Thread C:\WINDOWS\Explorer.EXE [1556:1312] 0000000068491b80 Thread C:\WINDOWS\Explorer.EXE [1556:1108] 00007ffa48c86220 Thread C:\WINDOWS\Explorer.EXE [1556:2540] 00007ffa342bd73c Thread C:\WINDOWS\Explorer.EXE [1556:6084] 00007ffa4bb82774 Thread C:\WINDOWS\Explorer.EXE [1556:5204] 00007ffa2fcfd73c Thread C:\WINDOWS\Explorer.EXE [1556:5920] 00007ffa4dc2d73c Thread C:\WINDOWS\Explorer.EXE [1556:4248] 00007ffa3685d73c Thread C:\WINDOWS\Explorer.EXE [1556:3976] 00007ffa4e9bd73c Thread C:\WINDOWS\Explorer.EXE [1556:4920] 00007ffa43d48cd4 Thread C:\WINDOWS\Explorer.EXE [1556:2444] 00007ffa558bad30 Thread C:\WINDOWS\System32\spoolsv.exe [1668:1704] 00007ffa55c081b0 Thread C:\WINDOWS\System32\spoolsv.exe [1668:1796] 00007ffa345c12f8 Thread C:\WINDOWS\System32\spoolsv.exe [1668:3240] 00007ffa34b33118 Thread C:\WINDOWS\System32\spoolsv.exe [1668:5168] 00007ffa34935b3c Thread C:\WINDOWS\System32\spoolsv.exe [1668:5184] 00007ffa34999838 Thread C:\WINDOWS\system32\svchost.exe [1756:1204] 00007ffa4d442b90 Thread C:\WINDOWS\system32\svchost.exe [1756:3408] 00007ffa4d4467bc Thread C:\WINDOWS\system32\svchost.exe [1756:3632] 00007ffa41ea4608 Thread C:\WINDOWS\system32\svchost.exe [1756:3668] 00007ffa43ce2110 Thread C:\WINDOWS\system32\svchost.exe [1756:3664] 00007ffa41db1584 Thread C:\WINDOWS\system32\svchost.exe [1756:2296] 00007ffa41d31b40 Thread C:\WINDOWS\system32\svchost.exe [1756:3680] 00007ffa41ea1040 Thread C:\WINDOWS\system32\svchost.exe [3364:2736] 00007ffa4d00cef0 Thread C:\WINDOWS\system32\svchost.exe [3364:2728] 00007ffa4d00cfbc Thread C:\WINDOWS\system32\svchost.exe [3364:3112] 00007ffa30418490 Thread C:\WINDOWS\system32\svchost.exe [3364:1804] 00007ffa3045a12c Thread C:\WINDOWS\system32\svchost.exe [3364:5804] 00007ffa3045a12c Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3416:3992] 00007ffa464081f4 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3416:4000] 00007ffa462cbdf4 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3416:3660] 00007ffa462cbdf4 Thread C:\Program Files\Samsung\Support Center\GuaranaAgent.exe [3604:6072] 00007ffa4bb82774 Thread C:\WINDOWS\system32\taskhost.exe [5244:4796] 00007ffa4ace7354 Thread C:\WINDOWS\system32\taskhost.exe [5244:1680] 00007ffa4d4e4b30 Thread C:\WINDOWS\system32\taskhost.exe [5244:5152] 00007ffa4d4e4b30 Thread C:\WINDOWS\system32\taskhost.exe [5244:5180] 00007ffa4d4e4b30 Thread C:\WINDOWS\system32\taskhost.exe [5244:4592] 00007ffa4acf1ae0 Thread C:\WINDOWS\system32\taskhost.exe [5244:3652] 00007ffa4ad104d4 Thread C:\WINDOWS\system32\taskhost.exe [5244:3472] 00007ffa4ace5324 Thread C:\WINDOWS\system32\taskhost.exe [5244:4848] 00007ffa4acf2264 Thread C:\Program Files (x86)\Rock Turner\bin\RockTurner.BOAS.exe [1868:5700] 000000006adacf50 Thread C:\Program Files (x86)\Rock Turner\bin\RockTurner.BOAS.exe [1868:5592] 000000006adacf50 Thread C:\Program Files (x86)\Rock Turner\bin\RockTurner.BOAS.exe [1868:5612] 000000006af6d5d0 Thread C:\Program Files (x86)\Rock Turner\bin\RockTurner.BOAS.exe [1868:2920] 0000000077014b50 Thread C:\Program Files (x86)\Rock Turner\bin\RockTurner.BrowserAdapter64.exe [4696:3556] 00007ffa3ce153e0 Thread C:\Program Files (x86)\Rock Turner\bin\RockTurner.BrowserAdapter64.exe [4696:3968] 00007ffa3ce153e0 Thread C:\Program Files (x86)\Rock Turner\bin\RockTurner.BrowserAdapter64.exe [4696:6460] 00007ffa3ccac1d0 ---- Processes - GMER 2.1 ---- Process C:\Users\Karolina\AppData\Local\tapeciarnia\tapeciarnia.exe (*** suspicious ***) @ C:\Users\Karolina\AppData\Local\tapeciarnia\tapeciarnia.exe [4456](2014-03-08 11:52:52) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----