GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-09 23:38:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD15EARS-00Z5B1 rev.80.00A80 1397,26GB Running: nwysjps2.exe; Driver: C:\Users\ZWiKUWiM\AppData\Local\Temp\pgtcykoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\ZWiKUWiM\AppData\Local\fst_pl_107\upfst_pl_107.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Users\ZWiKUWiM\AppData\Local\fst_pl_107\upfst_pl_107.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007730fcb0 5 bytes JMP 000000010024091c .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007730fe14 5 bytes JMP 0000000100240048 .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007730fea8 5 bytes JMP 00000001002402ee .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077310004 5 bytes JMP 00000001002404b2 .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077310038 5 bytes JMP 00000001002409fe .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077310068 5 bytes JMP 0000000100240ae0 .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077310084 5 bytes JMP 0000000100020050 .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007731079c 5 bytes JMP 000000010024012a .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007731088c 5 bytes JMP 0000000100240758 .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773108a4 5 bytes JMP 0000000100240676 .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077310df4 5 bytes JMP 00000001002403d0 .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077311920 5 bytes JMP 0000000100240594 .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077311be4 5 bytes JMP 000000010024083a .text C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe[2748] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077311d70 5 bytes JMP 000000010024020c .text C:\Users\ZWiKUWiM\AppData\Local\Genesis\Genesis.exe[2928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Users\ZWiKUWiM\AppData\Local\Genesis\Genesis.exe[2928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1536] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1536] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text C:\Program Files (x86)\fst_pl_107\fst_pl_107.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Program Files (x86)\fst_pl_107\fst_pl_107.exe[3504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text C:\Program Files (x86)\HulaToo\bin\utilHulaToo.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Program Files (x86)\HulaToo\bin\utilHulaToo.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Program Files (x86)\Firebird\Firebird_2_0\bin\fbserver.exe[4656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text C:\Program Files (x86)\HulaToo\bin\HulaToo.BrowserAdapter.exe[3836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Program Files (x86)\HulaToo\bin\HulaToo.BrowserAdapter.exe[3836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a71465 2 bytes [A7, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a714bb 2 bytes [A7, 75] .text ... * 2 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007730fcb0 5 bytes JMP 00000001001f091c .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007730fe14 5 bytes JMP 00000001001f0048 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007730fea8 5 bytes JMP 00000001001f02ee .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077310004 5 bytes JMP 00000001001f04b2 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077310038 5 bytes JMP 00000001001f09fe .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077310068 5 bytes JMP 00000001001f0ae0 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077310084 5 bytes JMP 0000000100020050 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007731079c 5 bytes JMP 00000001001f012a .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007731088c 5 bytes JMP 00000001001f0758 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000773108a4 5 bytes JMP 00000001001f0676 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077310df4 5 bytes JMP 00000001001f03d0 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077311920 5 bytes JMP 00000001001f0594 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077311be4 5 bytes JMP 00000001001f083a .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077311d70 5 bytes JMP 00000001001f020c .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007534524f 7 bytes JMP 00000001001f0f52 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000753453d0 7 bytes JMP 0000000100280210 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000075345677 1 byte JMP 0000000100280048 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000075345679 5 bytes {JMP 0xffffffff8af3a9d1} .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007534589a 7 bytes JMP 00000001001f0ca6 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000075345a1d 7 bytes JMP 00000001002803d8 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000075345c9b 7 bytes JMP 000000010028012c .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000075345d87 7 bytes JMP 00000001002802f4 .text D:\skany\nwysjps2.exe[2220] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000075347240 7 bytes JMP 00000001001f0e6e .text D:\skany\nwysjps2.exe[2220] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000769f1492 7 bytes JMP 00000001002804bc ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:1988] 0000000077343e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:980] 0000000077342e65 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2064] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2068] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2072] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2076] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2080] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2084] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2360] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2364] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2368] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2456] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2460] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2464] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2468] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2472] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2476] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2480] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2484] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2492] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2496] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2500] 0000000077343e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2528] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2580] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2584] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2588] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2592] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2892] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:1828] 0000000070b429e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2000:2356] 0000000077347151 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\DCService.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCService.exe [1676](2010-08-19 08:52:04) 0000000000400000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [1904] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2010-08-19 08:52:14) 0000000000400000 Process C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe (*** suspicious ***) @ C:\Users\ZWiKUWiM\AppData\Roaming\blueconnect\ouc.exe [2748] (Online Update Clinet/Huawei Technologies Co., Ltd.)(2013-05-08 16:48:52) 0000000000400000 Process C:\Users\ZWiKUWiM\AppData\Local\Genesis\Genesis.exe (*** suspicious ***) @ C:\Users\ZWiKUWiM\AppData\Local\Genesis\Genesis.exe [2928](2014-05-07 15:14:55) 0000000000400000 ---- EOF - GMER 2.1 ----