GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-16 18:43:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Maxtor_6V160E0 rev.VA111630 149,05GB Running: xqf5s1hz.exe; Driver: C:\Users\emilka\AppData\Local\Temp\uwdiypod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002df0000 45 bytes [00, 00, 4C, 02, 42, 49, 49, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 574 fffff80002df002e 17 bytes [5C, 00, 48, 00, 61, 00, 72, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[2492] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000753b1a22 2 bytes [3B, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2492] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000753b1ad0 2 bytes [3B, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2492] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000753b1b08 2 bytes [3B, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2492] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000753b1bba 2 bytes [3B, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2492] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000753b1bda 2 bytes [3B, 75] .text C:\Users\emilka\AppData\Roaming\Google\Google Talk\googletalk.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000760b1465 2 bytes [0B, 76] .text C:\Users\emilka\AppData\Roaming\Google\Google Talk\googletalk.exe[2268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760b14bb 2 bytes [0B, 76] .text ... * 2 .text C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe[2308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000760b1465 2 bytes [0B, 76] .text C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe[2308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760b14bb 2 bytes [0B, 76] .text ... * 2 .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[3988] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000760b1465 2 bytes [0B, 76] .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[3988] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000760b14bb 2 bytes [0B, 76] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3892:5268] 000007fefbc92a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3892:5364] 000007feed2f4830 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5548:4752] 0000000077547587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5548:4288] 000000006898758a Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5548:4152] 00000000779b2e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5548:6360] 00000000779b3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5548:4560] 00000000779b3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5548:6808] 00000000779b3e85 ---- Processes - GMER 2.1 ---- Library C:\Users\emilka\AppData\Local\PirritSuggestor\QtCore4.dll (*** suspicious ***) @ C:\Users\emilka\AppData\Local\PirritSuggestor\PirritService.exe [2468] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-02-14 20:16:27) 0000000072520000 Process C:\Users\emilka\AppData\Roaming\Google\Google Talk\googletalk.exe (*** suspicious ***) @ C:\Users\emilka\AppData\Roaming\Google\Google Talk\googletalk.exe [2268] (Google Talk/Google)(2007-01-01 21:22:02) 0000000000400000 Library C:\Users\emilka\AppData\Roaming\newnext.me\nengine.dll (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [3080] (NewNext Helper Engine/NewNextDotMe)(2013-12-31 14:01:57) 0000000074be0000 Library C:\Users\emilka\AppData\Local\PirritSuggestor\QtNetwork4.dll (*** suspicious ***) @ C:\Users\emilka\AppData\Local\PirritSuggestor\PirritDesktop.exe [2844] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-02-14 20:16:27) 000000006e2e0000 Library C:\Users\emilka\AppData\Local\PirritSuggestor\QtCore4.dll (*** suspicious ***) @ C:\Users\emilka\AppData\Local\PirritSuggestor\PirritDesktop.exe [2844] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-02-14 20:16:27) 0000000072520000 ---- EOF - GMER 2.1 ----