GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-15 16:01:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HGST_HTS725050A7E630 rev.GH2OA420 465,76GB Running: p7jxi5hq.exe; Driver: C:\Users\Marek\AppData\Local\Temp\kwddikog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002db0000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002db002f 16 bytes [00, 30, 3B, D5, 02, 80, FA, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\services.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[740] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[880] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1004] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1664] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1816] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1836] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2224] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2432] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\Explorer.EXE[2852] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2228] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Windows\System32\rundll32.exe[2944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[3892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\System32\wscript.exe[3632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\System32\wscript.exe[1344] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000778178e2 5 bytes JMP 00000001654a8c80 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000077820dfb 5 bytes JMP 00000001654a8dc0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\USER32.dll!GetCursorPos 0000000077821218 5 bytes JMP 00000001654a8a60 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindowIndirect 00000000778228da 5 bytes JMP 00000001654a86f0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\USER32.dll!WindowFromPoint 000000007783ed12 5 bytes JMP 00000001654a88c0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\USER32.dll!AttachThreadInput 000000007783f188 5 bytes JMP 00000001654a9e80 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\shell32.dll!ShellExecuteW 0000000076273c31 5 bytes JMP 00000001654a9c50 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076021465 2 bytes [02, 76] .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000760214bb 2 bytes [02, 76] .text ... * 2 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\COMDLG32.dll!GetOpenFileNameW 00000000774ea2d5 5 bytes JMP 00000001654a98f0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[3848] C:\Windows\syswow64\COMDLG32.dll!GetSaveFileNameW 00000000774ea36e 5 bytes JMP 00000001654a9aa0 .text C:\Windows\System32\wscript.exe[3932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\System32\wscript.exe[4080] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Program Files (x86)\Dtella@MS\dtella.exe[3440] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1140] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3284] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Overwolf\OverwolfHelper.exe[4292] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Overwolf\OverwolfHelper64.exe[4176] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[828] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\wuauclt.exe[2276] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Windows\system32\prevhost.exe[3152] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779feecd 1 byte [62] .text C:\Users\Marek\Downloads\OTL.exe[3232] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] .text C:\Users\Marek\Downloads\OTL.exe[3232] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076021465 2 bytes [02, 76] .text C:\Users\Marek\Downloads\OTL.exe[3232] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000760214bb 2 bytes [02, 76] .text ... * 2 .text C:\Users\Marek\Downloads\p7jxi5hq.exe[2916] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007769a2ba 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1188:1280] 000007fefad4341c Thread C:\Windows\system32\svchost.exe [1188:1284] 000007fefad43a2c Thread C:\Windows\system32\svchost.exe [1188:1288] 000007fefad43768 Thread C:\Windows\system32\svchost.exe [1188:1292] 000007fefad45c20 Thread C:\Windows\system32\svchost.exe [1188:1168] 000007fef93d83d8 Thread C:\Windows\system32\svchost.exe [1188:1644] 000007fef93d83d8 Thread C:\Windows\system32\svchost.exe [1188:1724] 000007fef93d83d8 Thread C:\Windows\system32\svchost.exe [1188:292] 000007fef93d83d8 Thread C:\Windows\system32\svchost.exe [1188:2068] 000007fef95bbec4 Thread C:\Windows\system32\svchost.exe [1188:2636] 000007fef8923f1c Thread C:\Windows\system32\svchost.exe [1188:2640] 000007fef94d1a38 Thread C:\Windows\system32\svchost.exe [1188:2660] 000007fef9445388 Thread C:\Windows\system32\svchost.exe [1188:2724] 000007fef8767738 Thread C:\Windows\system32\svchost.exe [1188:2744] 000007fef9011f90 Thread C:\Windows\system32\svchost.exe [1188:2792] 000007fef84c5170 Thread C:\Windows\system32\svchost.exe [1188:2508] 000007fef9455124 Thread C:\Windows\system32\svchost.exe [1188:2976] 000007fefad43900 Thread C:\Windows\System32\svchost.exe [1256:2972] 000007fef82f9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF2 0x51 0x5F 0xD3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF2 0x51 0x5F 0xD3 ... ---- EOF - GMER 2.1 ----