GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-31 18:56:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKX-083CA1 rev.19.01H19 465,76GB Running: qjjbt58w.exe; Driver: C:\Users\UKASZ~1\AppData\Local\Temp\ugrdipoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800035a7000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800035a702f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767f1465 2 bytes [7F, 76] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767f14bb 2 bytes [7F, 76] .text ... * 2 .text C:\Windows\Explorer.EXE[1764] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000774a0650 6 bytes {JMP QWORD [RIP+0x8b7f9e0]} .text C:\Windows\Explorer.EXE[1764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd4f9055 3 bytes CALL 0 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767f1465 2 bytes [7F, 76] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767f14bb 2 bytes [7F, 76] .text ... * 2 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[3492] C:\Windows\syswow64\USER32.dll!GetScrollInfo 00000000773a4018 7 bytes JMP 00000001704f62d0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[3492] C:\Windows\syswow64\USER32.dll!SetScrollInfo 00000000773a40cf 7 bytes JMP 00000001704f5f60 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[3492] C:\Windows\syswow64\USER32.dll!ShowScrollBar 00000000773a4162 5 bytes JMP 00000001704f6980 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[3492] C:\Windows\syswow64\USER32.dll!GetScrollPos 00000000773a4234 5 bytes JMP 00000001704f65b0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[3492] C:\Windows\syswow64\USER32.dll!SetScrollPos 00000000773a87a5 5 bytes JMP 00000001704f6410 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[3492] C:\Windows\syswow64\USER32.dll!EnableScrollBar 00000000773a8d3a 7 bytes JMP 00000001704f69c0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[3492] C:\Windows\syswow64\USER32.dll!GetScrollRange 00000000773a90c4 5 bytes JMP 00000001704f6870 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[3492] C:\Windows\syswow64\USER32.dll!SetScrollRange 00000000773bd50b 5 bytes JMP 00000001704f6670 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767f1465 2 bytes [7F, 76] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe[3492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767f14bb 2 bytes [7F, 76] .text ... * 2 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BAVSvc.exe[4544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767f1465 2 bytes [7F, 76] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BAVSvc.exe[4544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767f14bb 2 bytes [7F, 76] .text ... * 2 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\bavhm.exe[4644] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefd4f9ff2 3 bytes [0A, 60, 06] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\bavupdater.exe[4668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767f1465 2 bytes [7F, 76] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\bavupdater.exe[4668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767f14bb 2 bytes [7F, 76] .text ... * 2 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BHipsSvc.exe[3216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000767f1465 2 bytes [7F, 76] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BHipsSvc.exe[3216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767f14bb 2 bytes [7F, 76] .text ... * 2 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll (*** suspicious ***) @ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2968] (RealPlayer Chrome Browser Helper/RealNetworks, Inc.)(2012-04-22 07:47:55) 00000000751a0000 Library C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll (*** suspicious ***) @ C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [2896] (RealPlayer Chrome Browser Helper/RealNetworks, Inc.)(2012-04-22 07:47:55) 00000000751a0000 Library C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll (*** suspicious ***) @ C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1344] (RealPlayer Chrome Browser Helper/RealNetworks, Inc.)(2012-04-22 07:47:55) 00000000751a0000 Library C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll (*** suspicious ***) @ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [3052] (RealPlayer Chrome Browser Helper/RealNetworks, Inc.)(2012-04-22 07:47:55) 00000000751a0000 Library C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll (*** suspicious ***) @ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe [2880] (RealPlayer Chrome Browser Helper/RealNetworks, Inc.)(2012-04-22 07:47:55) 00000000751a0000 Library C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll (*** suspicious ***) @ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe [3648] (RealPlayer Chrome Browser Helper/RealNetworks, Inc.)(2012-04-22 07:47:55) 00000000751a0000 Library C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll (*** suspicious ***) @ C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe [3832] (RealPlayer Chrome Browser Helper/RealNetworks, Inc.)(2012-04-22 07:47:55) 00000000751a0000 Library C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll (*** suspicious ***) @ C:\Program Files (x86)\Baidu Security\Baidu Antivirus\BavTray.exe [3492] (RealPlayer Chrome Browser Helper/RealNetworks, Inc.)(2012-04-22 07:47:55) 00000000751a0000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2FFC8774-7FE5-40EF-A25F-CB81A4E36234}\offreg.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [4100](2014-07-31 16:23:10) 000007feed180000 Library C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome150browserrecordhelper.dll (*** suspicious ***) @ C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe [5876] (RealPlayer Chrome Browser Helper/RealNetworks, Inc.)(2012-04-22 07:47:55) 00000000751a0000 ---- EOF - GMER 2.1 ----