GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-04 10:10:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.GH2O 465,76GB Running: l4x7onmb.exe; Driver: C:\Users\User\AppData\Local\Temp\kflyyaob.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\SysWow64\ArcVCapRender\uArcCapture.exe[2952] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000006f1e11a8 2 bytes [1E, 6F] .text C:\windows\SysWow64\ArcVCapRender\uArcCapture.exe[2952] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000006f1e13a8 2 bytes [1E, 6F] .text C:\windows\SysWow64\ArcVCapRender\uArcCapture.exe[2952] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000006f1e1422 2 bytes [1E, 6F] .text C:\windows\SysWow64\ArcVCapRender\uArcCapture.exe[2952] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000006f1e1498 2 bytes [1E, 6F] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e91401 2 bytes JMP 000000010779a47c .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e91419 2 bytes JMP 000000010779a494 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e91431 2 bytes JMP 000000010779a4ac .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e9144a 2 bytes JMP 0000000076f5fcc5 .text ... * 9 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e914dd 2 bytes JMP 000000010779a558 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e914f5 2 bytes JMP 000000010779a570 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e9150d 2 bytes JMP 000000010779a588 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e91525 2 bytes JMP 000000010779a5a0 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e9153d 2 bytes JMP 000000010779a5b8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e91555 2 bytes JMP 000000010779a5d0 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e9156d 2 bytes JMP 000000010779a5e8 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e91585 2 bytes JMP 000000010779a600 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e9159d 2 bytes JMP 000000010779a618 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e915b5 2 bytes JMP 000000010779a630 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e915cd 2 bytes JMP 000000015d37ce48 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e916b2 2 bytes JMP 000000010779a72d .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e916bd 2 bytes JMP 000000010779a738 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\mfevtps.exe[2760] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13f21c0c0] C:\windows\system32\mfevtps.exe ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Internet Manager\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [2588](2013-03-29 05:33:44) 000000006fbc0000 Library C:\ProgramData\Internet Manager\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [2588](2013-03-29 05:33:44) 000000006e940000 Library C:\ProgramData\Internet Manager\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [2588](2013-03-29 05:33:44) 000000006a1c0000 Library C:\ProgramData\Internet Manager\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [2588](2013-03-29 05:33:44) 000000006ff00000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\a41731b6e8b9 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 4255 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\a41731b6e8b9 (not active ControlSet) ---- EOF - GMER 2.1 ----