GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-14 09:42:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HM321HI rev.2AJ10002 298,09GB Running: f6yidp5c.exe; Driver: C:\Users\Anicia\AppData\Local\Temp\fwddakog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077241401 2 bytes JMP 758eb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077241419 2 bytes JMP 758eb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077241431 2 bytes JMP 759690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007724144a 2 bytes CALL 758c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772414dd 2 bytes JMP 759689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772414f5 2 bytes JMP 75968bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007724150d 2 bytes JMP 759688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077241525 2 bytes JMP 75968caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007724153d 2 bytes JMP 758dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077241555 2 bytes JMP 758e6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007724156d 2 bytes JMP 759691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077241585 2 bytes JMP 75968d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007724159d 2 bytes JMP 759688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772415b5 2 bytes JMP 758dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772415cd 2 bytes JMP 758eb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772416b2 2 bytes JMP 7596906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772416bd 2 bytes JMP 75968839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077241401 2 bytes JMP 758eb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077241419 2 bytes JMP 758eb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077241431 2 bytes JMP 759690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007724144a 2 bytes CALL 758c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772414dd 2 bytes JMP 759689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772414f5 2 bytes JMP 75968bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007724150d 2 bytes JMP 759688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077241525 2 bytes JMP 75968caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007724153d 2 bytes JMP 758dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077241555 2 bytes JMP 758e6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007724156d 2 bytes JMP 759691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077241585 2 bytes JMP 75968d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007724159d 2 bytes JMP 759688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772415b5 2 bytes JMP 758dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772415cd 2 bytes JMP 758eb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772416b2 2 bytes JMP 7596906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772416bd 2 bytes JMP 75968839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077241401 2 bytes JMP 758eb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077241419 2 bytes JMP 758eb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077241431 2 bytes JMP 759690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007724144a 2 bytes CALL 758c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000772414dd 2 bytes JMP 759689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000772414f5 2 bytes JMP 75968bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007724150d 2 bytes JMP 759688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077241525 2 bytes JMP 75968caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007724153d 2 bytes JMP 758dfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077241555 2 bytes JMP 758e6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007724156d 2 bytes JMP 759691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077241585 2 bytes JMP 75968d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007724159d 2 bytes JMP 759688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000772415b5 2 bytes JMP 758dfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000772415cd 2 bytes JMP 758eb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000772416b2 2 bytes JMP 7596906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000772416bd 2 bytes JMP 75968839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4816] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000758c8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001bb1149aa7 (not active ControlSet) Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1149aa7 Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001bb1149aa7 (not active ControlSet) ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\FRST 0 bytes File C:\FRST\Hives 0 bytes File C:\FRST\Hives\BCD 32768 bytes File C:\FRST\Hives\COMPONENTS 49512448 bytes File C:\FRST\Hives\DEFAULT 299008 bytes File C:\FRST\Hives\ERDNT.CON 947 bytes File C:\FRST\Hives\ERDNT.EXE 163328 bytes executable File C:\FRST\Hives\ERDNT.INF 926 bytes File C:\FRST\Hives\ERDNTDOS.LOC 2815 bytes File C:\FRST\Hives\ERDNTWIN.LOC 3275 bytes File C:\FRST\Hives\SAM 61440 bytes File C:\FRST\Hives\SECURITY 24576 bytes File C:\FRST\Hives\SOFTWARE 97579008 bytes File C:\FRST\Hives\SYSTEM 25526272 bytes File C:\FRST\Hives\Users 0 bytes File C:\FRST\Hives\Users\00000001 0 bytes File C:\FRST\Hives\Users\00000001\NTUSER.DAT 4177920 bytes File C:\FRST\Hives\Users\00000002 0 bytes File C:\FRST\Hives\Users\00000002\UsrClass.dat 4849664 bytes File C:\FRST\Logs 0 bytes File C:\FRST\Quarantine 0 bytes File C:\FRST\users00 118 bytes ---- EOF - GMER 2.2 ----