GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-18 09:36:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-9YN162 rev.CC4C 931,51GB Running: sjyj86r5.exe; Driver: C:\Users\DOBRYN~1\AppData\Local\Temp\fxlcyfob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3364] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text C:\Users\dobryn duzy 1\AppData\Roaming\WebCake\WebCakeDesktop.exe[3376] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\Users\dobryn duzy 1\AppData\Roaming\WebCake\WebCakeDesktop.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\Users\dobryn duzy 1\AppData\Roaming\WebCake\WebCakeDesktop.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe[3424] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe[3424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\ProgramData\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe[3424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe[3460] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\Program Files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text C:\Program Files (x86)\KONICA MINOLTA\FTP Utility\KMFtp.exe[3492] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\Program Files (x86)\KONICA MINOLTA\FTP Utility\KMFtp.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\Program Files (x86)\KONICA MINOLTA\FTP Utility\KMFtp.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3596] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3604] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3756] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3816] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[904] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IELowutil.exe[4724] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text C:\Program Files (x86)\Internet Explorer\IELowutil.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text C:\Program Files (x86)\Internet Explorer\IELowutil.exe[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 .text F:\sjyj86r5.exe[4136] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dfcfca 5 bytes JMP 0000000173474970 .text F:\sjyj86r5.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750d1465 2 bytes [0D, 75] .text F:\sjyj86r5.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750d14bb 2 bytes [0D, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [328:2108] 000007fef643506c Thread C:\Windows\system32\svchost.exe [328:3960] 000007fefa9e4164 Thread C:\Windows\system32\svchost.exe [328:4320] 000007fefa9a1ab0 Thread C:\Windows\System32\spoolsv.exe [1292:2336] 000007fef79e10c8 Thread C:\Windows\System32\spoolsv.exe [1292:2340] 000007fef79a6144 Thread C:\Windows\System32\spoolsv.exe [1292:2348] 000007fef7795fd0 Thread C:\Windows\System32\spoolsv.exe [1292:2352] 000007fef7783438 Thread C:\Windows\System32\spoolsv.exe [1292:2356] 000007fef77963ec Thread C:\Windows\System32\spoolsv.exe [1292:2360] 000007fef7783438 Thread C:\Windows\System32\spoolsv.exe [1292:2364] 000007fef77963ec Thread C:\Windows\System32\spoolsv.exe [1292:2372] 000007fef7c75e5c Thread C:\Windows\System32\spoolsv.exe [1292:2376] 000007fef7ca5074 Thread C:\Windows\System32\spoolsv.exe [1292:2600] 000007fef7d12288 Thread C:\Windows\System32\spoolsv.exe [1292:2648] 000007fef7c38760 Thread C:\Windows\system32\svchost.exe [1792:1976] 000007fef9156b40 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1944:2308] 000007fefaef2a7c ---- EOF - GMER 2.1 ----