GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-20 21:18:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDS721010CLA332 rev.JP4OA3MA 931,51GB Running: 88t52tef.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uwddakob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1488] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000720c1a22 2 bytes [0C, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1488] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000720c1ad0 2 bytes [0C, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1488] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000720c1b08 2 bytes [0C, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1488] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000720c1bba 2 bytes [0C, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1488] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000720c1bda 2 bytes [0C, 72] .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[2396] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076381465 2 bytes [38, 76] .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[2396] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000763814bb 2 bytes [38, 76] .text ... * 2 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?CreateDifferenceFile@CC2CDifferenceFile@@UAEGPAD00@Z 00000000667236bd 5 bytes JMP 00000001005f00b0 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?RestoreOriginalFile@CC2CDifferenceFile@@UAEGPAD00@Z 0000000066723e40 5 bytes JMP 00000001005f0150 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?MakeAsciiDifferenceFile@CC2CDifferenceFile@@UAEGPAD0@Z 00000000667243c1 5 bytes JMP 00000001005f0100 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?LoadJumpDbFromBuffer@CJumpRun@@UAEGKPAE@Z 000000006672a952 4 bytes JMP 00000001005f03c0 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?LoadJumpDbFromBuffer@CJumpRun@@UAEGKPAE@Z + 126 000000006672a9d0 13 bytes [2A, 9D, FF, 95, 2E, C4, 1E, ...] .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?GetKeyData@CKeyBasic@@UAEGPAE@Z 000000006672e35f 4 bytes JMP 00000001005f0630 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?PerformTransform@CTransformXor@@UAEGVCDataArea@@0@Z 000000006672ea2f 5 bytes JMP 00000001005ef970 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?PerformTransform@CTransformXor@@UAEGVCDataArea@@0@Z + 768 000000006672ed2f 15 bytes [90, 6A, 23, E7, 76, 50, 88, ...] .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?PerformTransform@CTransformRandomAccumulate@@UAEGVCDataArea@@0@Z 000000006672ee42 5 bytes JMP 00000001005ef700 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?PerformTransform@CTransformRandomAccumulate@@UAEGVCDataArea@@0@Z + 850 000000006672f194 5 bytes JMP 00000001005ea050 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?LoadModuleDetails@CModuleMonitor@@QAEGPAD@Z 0000000066733ce7 5 bytes JMP 00000001005ef220 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?ScanModule@CModuleMonitor@@QAEGKG@Z 00000000667342f0 5 bytes JMP 00000001005ef490 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?IsModuleChecksumOkay@CModuleMonitor@@QAEGXZ 0000000066734a23 5 bytes JMP 00000001005f0b10 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?IsModuleWithinLimits@CModuleMonitor@@QAEGKKK@Z 0000000066734a59 5 bytes JMP 00000001005f0da0 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?SetupInterruptHandler@CAltAsc@@QAEGPAX00PAK1@Z 00000000667590d5 4 bytes JMP 00000001005f0010 .text C:\Program Files (x86)\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe[3916] C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0011\~df394b.tmp!?RestoreInterruptHandler@CAltAsc@@QAEGXZ 0000000066759569 4 bytes JMP 00000001005f1300 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[4036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076381465 2 bytes [38, 76] .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[4036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763814bb 2 bytes [38, 76] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076381465 2 bytes [38, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763814bb 2 bytes [38, 76] .text ... * 2 .text C:\Users\Admin\Desktop\OTL.exe[604] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076381465 2 bytes [38, 76] .text C:\Users\Admin\Desktop\OTL.exe[604] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000763814bb 2 bytes [38, 76] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5092:2488] 000007fefadd2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5092:3204] 000007feef3cd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5092:1936] 000007fef8885124 ---- EOF - GMER 2.1 ----