GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-29 12:16:33 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MJA2320BH_G2 rev.0084001C 298,09GB Running: t5nmo7ku.exe; Driver: C:\Users\Vip\AppData\Local\Temp\uxrirpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000759f1401 2 bytes JMP 774deb26 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000759f1419 2 bytes JMP 774eb513 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000759f1431 2 bytes JMP 77568609 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000759f144a 2 bytes CALL 774c1dfa C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000759f14dd 2 bytes JMP 77567efe C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000759f14f5 2 bytes JMP 775680d8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000759f150d 2 bytes JMP 77567df4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000759f1525 2 bytes JMP 775681c2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000759f153d 2 bytes JMP 774df088 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000759f1555 2 bytes JMP 774eb885 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000759f156d 2 bytes JMP 775686c1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000759f1585 2 bytes JMP 77568222 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000759f159d 2 bytes JMP 77567db8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000759f15b5 2 bytes JMP 774df121 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000759f15cd 2 bytes JMP 774eb29f C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000759f16b2 2 bytes JMP 77568584 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\utilGreenerWeb.exe[1232] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000759f16bd 2 bytes JMP 77567d4d C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000759f1401 2 bytes JMP 774deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000759f1419 2 bytes JMP 774eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000759f1431 2 bytes JMP 77568609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000759f144a 2 bytes CALL 774c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759f14dd 2 bytes JMP 77567efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759f14f5 2 bytes JMP 775680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000759f150d 2 bytes JMP 77567df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000759f1525 2 bytes JMP 775681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000759f153d 2 bytes JMP 774df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000759f1555 2 bytes JMP 774eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000759f156d 2 bytes JMP 775686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000759f1585 2 bytes JMP 77568222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000759f159d 2 bytes JMP 77567db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759f15b5 2 bytes JMP 774df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759f15cd 2 bytes JMP 774eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759f16b2 2 bytes JMP 77568584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Greener Web\bin\GreenerWeb.BrowserAdapter.exe[1388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759f16bd 2 bytes JMP 77567d4d C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\HWDeviceService64.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\HWDeviceService64.exe [1700](2010-11-16 13:38:16) 000000013f3f0000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [1804] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2010-11-16 13:37:30) 0000000000400000 Process C:\Users\Vip\AppData\Roaming\PLAY ONLINE\ouc.exe (*** suspicious ***) @ C:\Users\Vip\AppData\Roaming\PLAY ONLINE\ouc.exe [1956] (Online Update Clinet/Huawei Technologies Co., Ltd.)(2014-01-13 19:30:15) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c7b2c81c7 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c7b2c81c7@00265fc61949 0xE4 0xD0 0xA3 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001c7b2c81c7 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001c7b2c81c7@00265fc61949 0xE4 0xD0 0xA3 0xB8 ... ---- EOF - GMER 2.1 ----