GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-17 20:05:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKX-001CA0 rev.15.01H15 465,76GB Running: gmer.exe; Driver: C:\Users\bumbel\AppData\Local\Temp\uwdyrpog.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\bumbel\AppData\Roaming\uTorrent\uTorrent.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077791465 2 bytes [79, 77] .text C:\Users\bumbel\AppData\Roaming\uTorrent\uTorrent.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777914bb 2 bytes [79, 77] .text ... * 2 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\USER32.dll!GetMessageW 00000000752778e2 5 bytes JMP 0000000162854290 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000075280dfb 5 bytes JMP 0000000162854390 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\USER32.dll!GetCursorPos 0000000075281218 5 bytes JMP 00000001628540b0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindowIndirect 00000000752828da 5 bytes JMP 0000000162853de0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\USER32.dll!WindowFromPoint 000000007529ed12 5 bytes JMP 0000000162853f50 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\USER32.dll!AttachThreadInput 000000007529f188 5 bytes JMP 0000000162855290 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\shell32.dll!ShellExecuteW 00000000764e3c31 4 bytes JMP 00000001628550b0 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077791465 2 bytes [79, 77] .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000777914bb 2 bytes [79, 77] .text ... * 2 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\COMDLG32.dll!GetOpenFileNameW 000000007737a2d5 5 bytes JMP 0000000162854e30 .text C:\Program Files (x86)\Overwolf\Overwolf.exe[1708] C:\Windows\syswow64\COMDLG32.dll!GetSaveFileNameW 000000007737a36e 5 bytes JMP 0000000162854f70 .text C:\Program Files (x86)\Winstep\Nexus.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077791465 2 bytes [79, 77] .text C:\Program Files (x86)\Winstep\Nexus.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777914bb 2 bytes [79, 77] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2460] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 000000006ca51a22 2 bytes [A5, 6C] .text C:\Windows\SysWOW64\PnkBstrA.exe[2460] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 000000006ca51ad0 2 bytes [A5, 6C] .text C:\Windows\SysWOW64\PnkBstrA.exe[2460] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 000000006ca51b08 2 bytes [A5, 6C] .text C:\Windows\SysWOW64\PnkBstrA.exe[2460] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 000000006ca51bba 2 bytes [A5, 6C] .text C:\Windows\SysWOW64\PnkBstrA.exe[2460] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 000000006ca51bda 2 bytes [A5, 6C] .text C:\Windows\SysWOW64\PnkBstrA.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077791465 2 bytes [79, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777914bb 2 bytes [79, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Overwolf\0.81.34.0\OverwolfHelper.exe[3828] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077791465 2 bytes [79, 77] .text C:\Program Files (x86)\Common Files\Overwolf\0.81.34.0\OverwolfHelper.exe[3828] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000777914bb 2 bytes [79, 77] .text ... * 2 .text C:\Program Files (x86)\Overwolf\0.81.34.0\OverwolfBrowser.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077791465 2 bytes [79, 77] .text C:\Program Files (x86)\Overwolf\0.81.34.0\OverwolfBrowser.exe[5112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777914bb 2 bytes [79, 77] .text ... * 2 .text C:\Program Files (x86)\Overwolf\0.81.34.0\Purplizer\Purplizer.exe[5360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077791465 2 bytes [79, 77] .text C:\Program Files (x86)\Overwolf\0.81.34.0\Purplizer\Purplizer.exe[5360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777914bb 2 bytes [79, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [300:3884] 000007fef2a20ea8 Thread C:\Windows\system32\svchost.exe [300:3944] 000007fef2a19db0 Thread C:\Windows\system32\svchost.exe [300:4060] 000007fef2a1aa10 Thread C:\Windows\system32\svchost.exe [300:4072] 000007fef2a21c94 Thread [2300:2936] 000007fef477d954 Thread [2300:2940] 000007fef4726638 Thread [2300:2948] 00000000775faef0 Thread [2300:2728] 00000000775ffbf0 Thread [2300:1516] 000007fef4726638 Thread [2300:2944] 000007fef4726638 Thread [2300:2016] 000007fef4726638 Thread [2300:1704] 000007fef4726638 Thread [2300:3016] 000007fef4726638 Thread [2300:3032] 000007fef4726638 Thread [2300:2032] 000007fef464f3d0 Thread [2300:2888] 000007fef49fb84c Thread [2300:4640] 000007fef4726638 Thread [2300:3272] 000007fef4726638 Thread [2300:3380] 000007fef4726638 Thread C:\Windows\System32\svchost.exe [1632:1072] 000007fede3a9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2244:740] 000007fefa0d2a7c ---- Processes - GMER 2.1 ---- Process C:\Users\bumbel\AppData\Local\Temp\Rar$EXa0.288\gmer.exe (*** suspicious ***) @ C:\Users\bumbel\AppData\Local\Temp\Rar$EXa0.288\gmer.exe [3320](2014-12-17 18:27:50) 0000000000400000 ---- EOF - GMER 2.1 ----