GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-05 13:53:51 Windows 6.1.7600 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK2552GSX rev.LV010M 232,89GB Running: xwx5oc12.exe; Driver: G:\Users\Filip\AppData\Local\Temp\uxldapow.sys ---- Kernel code sections - GMER 2.1 ---- .text G:\Windows\System32\win32k.sys!W32pServiceTable + 1 fffff96000141f01 6 bytes [A0, F3, FF, 01, AD, F0] .text G:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000141f08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text H:\AVG\avgidsagent.exe[1744] G:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076cb1465 2 bytes [CB, 76] .text H:\AVG\avgidsagent.exe[1744] G:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076cb14bb 2 bytes [CB, 76] .text ... * 2 .text G:\Windows\SysWOW64\PnkBstrA.exe[1644] G:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000073db1a22 2 bytes [DB, 73] .text G:\Windows\SysWOW64\PnkBstrA.exe[1644] G:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000073db1ad0 2 bytes [DB, 73] .text G:\Windows\SysWOW64\PnkBstrA.exe[1644] G:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000073db1b08 2 bytes [DB, 73] .text G:\Windows\SysWOW64\PnkBstrA.exe[1644] G:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000073db1bba 2 bytes [DB, 73] .text G:\Windows\SysWOW64\PnkBstrA.exe[1644] G:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000073db1bda 2 bytes [DB, 73] .text H:\AVG\avgui.exe[148] G:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076cb1465 2 bytes [CB, 76] .text H:\AVG\avgui.exe[148] G:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076cb14bb 2 bytes [CB, 76] .text ... * 2 .text G:\Users\Filip\Pobieranie\ROJOTAPETY\OTL.exe[1652] G:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076cb1465 2 bytes [CB, 76] .text G:\Users\Filip\Pobieranie\ROJOTAPETY\OTL.exe[1652] G:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000076cb14bb 2 bytes [CB, 76] .text ... * 2 .text H:\iTunes\iTunes.exe[5016] G:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076cb1465 2 bytes [CB, 76] .text H:\iTunes\iTunes.exe[5016] G:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076cb14bb 2 bytes [CB, 76] .text ... * 2 .text G:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4540] G:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076cb1465 2 bytes [CB, 76] .text G:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe[4540] G:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076cb14bb 2 bytes [CB, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef93a741c] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef93a5f10] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef93a5674] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef93a5e2c] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef93a7f48] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef93a6a38] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef93a6ee8] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef93a7b58] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef93a7ea0] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef93a78b0] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef93a4fb4] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef93a5d38] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2240] @ G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef93a7584] G:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7CE89BF3-1670-7F5B-0424-0758CD4E4E91} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EC121757-99ED-81F3-EC05-287B018B672C} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EC121757-99ED-81F3-EC05-287B018B672C}@abljolpimdfifdlflnkcmmjeccmmgaggco 0x70 0x61 0x6A 0x6A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EC121757-99ED-81F3-EC05-287B018B672C}@makjlmimleabbaoncimemlkdmo 0x6F 0x61 0x6C 0x64 ... ---- EOF - GMER 2.1 ----