GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-05 11:37:34 Windows 6.0.6000 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 TOSHIBA_MK6034GSX rev.AH105B 55,89GB Running: 0hqdq3c3.exe; Driver: C:\Users\user\AppData\Local\Temp\kxtdapob.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\user\AppData\Roaming\Web Cake\WebCakeDesktop.exe[116] USER32.dll!DialogBoxParamW 76BE129F 5 Bytes JMP 75784760 c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll .text C:\Program Files\Skype\Phone\Skype.exe[252] USER32.dll!DialogBoxParamW 76BE129F 5 Bytes JMP 75784760 c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll .text C:\Windows\system32\svchost.exe[384] USER32.dll!DialogBoxParamW 76BE129F 5 Bytes JMP 75784760 c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll .text C:\Windows\system32\wininit.exe[452] USER32.dll!DialogBoxParamW 76BE129F 5 Bytes JMP 75784760 c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll .text C:\Windows\system32\winlogon.exe[492] USER32.dll!DialogBoxParamW 76BE129F 5 Bytes JMP 75784760 c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[384] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[384] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7578A190] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!LoadLibraryW] [7578A240] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtClose] [7578E290] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtOpenFile] [7578A3B0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtOpenKey] [7578E1D0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtEnumerateKey] [7578DFA0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtQueryKey] [75789A70] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtCreateKey] [7578E160] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtDeleteValueKey] [7578E360] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtQueryValueKey] [7578E080] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtSetValueKey] [7578E0F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\winlogon.exe[492] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtDeleteKey] [7578E310] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [KERNEL32.dll!LoadLibraryW] [7578A240] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtSetInformationFile] [7578A560] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtQueryInformationFile] [75789AB0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtDeleteFile] [7578A510] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtDeleteKey] [7578E310] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtOpenKey] [7578E1D0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtEnumerateKey] [7578DFA0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtDeleteValueKey] [7578E360] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtSetValueKey] [7578E0F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtQueryValueKey] [7578E080] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtCreateKey] [7578E160] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtOpenFile] [7578A3B0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtQueryKey] [75789A70] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\services.exe[540] @ C:\Windows\system32\services.exe [ntdll.dll!NtClose] [7578E290] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[708] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[708] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7578A190] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[756] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[756] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7578A190] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\System32\svchost.exe[840] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\System32\svchost.exe[840] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7578A190] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\System32\svchost.exe[912] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\System32\svchost.exe[912] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7578A190] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[932] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[932] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7578A190] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[1100] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[1100] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7578A190] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[1292] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[1292] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7578A190] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\Explorer.EXE[1540] @ C:\Windows\Explorer.EXE [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\Explorer.EXE[1540] @ C:\Windows\Explorer.EXE [KERNEL32.dll!LoadLibraryW] [7578A240] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\Explorer.EXE[1540] @ C:\Windows\Explorer.EXE [ntdll.dll!NtClose] [7578E290] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[1684] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[1684] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7578A190] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[1908] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7578A1F0] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll IAT C:\Windows\system32\svchost.exe[1908] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7578A190] c:\progra~2\browse~1\261519~1.190\{c16c1~1\browse~1.dll ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 8322ED58 ---- EOF - GMER 2.1 ----