GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-31 12:44:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: mq8e2u4i.exe; Driver: C:\Users\Abi\AppData\Local\Temp\uxriapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800033b9000 45 bytes [00, 00, 10, 02, 4E, 74, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff800033b902f 29 bytes [00, 01, 00, 06, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000076f96f80 5 bytes JMP 0000000169ff0038 .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd729940 5 bytes JMP 000007fffd5900b8 .text C:\Windows\system32\Dwm.exe[1740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd72bbb0 5 bytes JMP 000007fffd590038 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000076f96f80 5 bytes JMP 0000000169ff0038 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd729940 5 bytes JMP 000007fffd7100b8 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd72bbb0 5 bytes JMP 000007fffd710038 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 5 bytes JMP 000007fffd710138 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\WINMM.dll!waveOutReset 000007fefab7a38c 5 bytes JMP 000007fefd7102b8 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\WINMM.dll!waveOutPause 000007fefab94b60 5 bytes JMP 000007fefd710238 .text C:\Windows\system32\taskhost.exe[1792] C:\Windows\system32\WINMM.dll!waveOutRestart 000007fefab94ba0 5 bytes JMP 000007fefd7101b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3248] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000076f96f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3248] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd729940 5 bytes JMP 000007fffd7100b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3248] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd72bbb0 5 bytes JMP 000007fffd710038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3248] C:\Windows\system32\WINMM.dll!waveOutReset 000007fefab7a38c 5 bytes JMP 000007fefd7102b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3248] C:\Windows\system32\WINMM.dll!waveOutPause 000007fefab94b60 5 bytes JMP 000007fefd710238 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3248] C:\Windows\system32\WINMM.dll!waveOutRestart 000007fefab94ba0 5 bytes JMP 000007fefd7101b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3248] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb67490 5 bytes JMP 000007fffd710138 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3256] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000076f96f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd729940 5 bytes JMP 000007fffd7100b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3256] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd72bbb0 5 bytes JMP 000007fffd710038 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3436] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 00000000751448fb 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3436] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075144913 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3436] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075144945 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3436] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076339d0b 5 bytes JMP 0000000110002900 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004b5eea4] \SystemRoot\system32\DRIVERS\klif.sys [unknown section] ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\shellex.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1424] 000007fef8aa0000 Library C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\MSVCP100.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1424] 0000000072ef0000 Library C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\MSVCR100.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1424] 0000000072e10000 Library C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\prremote.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1424] 00000000709f0000 Library C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\x64\prloader.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1424] 000007fef2890000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38ef19ac Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 8462 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2C199857-869C-4742-AFB8-194E192F0A72}@DhcpNameServer 192.168.0.1 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2C199857-869C-4742-AFB8-194E192F0A72}@DhcpDefaultGateway 192.168.0.1? Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38ef19ac (not active ControlSet) ---- EOF - GMER 2.1 ----