GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-08 14:27:51 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SanDisk_ rev.X310 223,57GB Running: zl5u8mj8.exe; Driver: C:\Users\user\AppData\Local\Temp\uxldipow.sys ---- User code sections - GMER 2.1 ---- .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2456] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2456] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[3652] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[3652] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5264] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5264] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\windows\SysWOW64\RunDll32.exe[6116] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\windows\SysWOW64\RunDll32.exe[6116] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007722f9e0 5 bytes JMP 000000016753ea93 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 000000007722fa28 5 bytes JMP 000000016753f0f8 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007722fa40 5 bytes JMP 000000016753d830 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 000000007722fa90 5 bytes JMP 000000016753d38c .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007722faa8 5 bytes JMP 000000016753d67d .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 000000007722fb40 5 bytes JMP 000000016753f338 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007722fc38 5 bytes JMP 000000016754a713 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007722fd4c 5 bytes JMP 000000016753d1d4 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007722fd64 5 bytes JMP 0000000167549d35 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007722fd98 5 bytes JMP 000000016754a030 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007722fe44 5 bytes JMP 000000016753e668 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007722fe5c 5 bytes JMP 0000000167549e5e .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000772300b4 5 bytes JMP 0000000167549b7a .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000772301c4 5 bytes JMP 000000016753d9d8 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 0000000077230754 5 bytes JMP 000000016753f3da .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000772309e4 5 bytes JMP 0000000167549d72 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000772309fc 5 bytes JMP 000000016753cfa8 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077230a44 5 bytes JMP 000000016753db8e .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077230b80 5 bytes JMP 000000016753d0be .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077230f70 5 bytes JMP 000000016753e01b .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077230f88 5 bytes JMP 000000016753e1b7 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077231018 5 bytes JMP 000000016753f185 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077231030 5 bytes JMP 000000016753f2a8 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 0000000077231048 5 bytes JMP 000000016753f215 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007723133c 5 bytes JMP 0000000167549f47 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007723147c 5 bytes JMP 000000016753de8e .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077231528 5 bytes JMP 000000016753e37b .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077231718 5 bytes JMP 000000016753dd06 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077231a58 5 bytes JMP 000000016753d535 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077231b9c 5 bytes JMP 000000016753e4fd .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075af103d 5 bytes JMP 0000000167523904 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075af1072 5 bytes JMP 0000000167523d68 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075af8791 5 bytes JMP 00000001659c99c1 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075b1c9b5 5 bytes JMP 0000000167523a1e .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\kernel32.dll!WinExec 0000000075b72ff1 5 bytes JMP 0000000167523c62 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075972642 5 bytes JMP 0000000167523f75 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000075089ebd 5 bytes JMP 00000001659e99ff .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000075090afa 5 bytes JMP 00000001659ee26c .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\USER32.dll!BeginPaint 0000000075091361 5 bytes JMP 00000001659fc8b4 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\USER32.dll!ValidateRect 0000000075097849 5 bytes JMP 0000000165b71f12 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\SHELL32.dll!SHParseDisplayName 00000000760d7edb 5 bytes JMP 0000000165ac54dc .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!OleLoadFromStream 00000000757d6143 5 bytes JMP 000000016616debe .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!CoResumeClassObjects + 7 00000000757dea09 7 bytes JMP 000000016755e370 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!OleRun 00000000757e07de 5 bytes JMP 000000016755de9e .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!CoRegisterClassObject 00000000757e21e1 5 bytes JMP 0000000167561745 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!OleUninitialize 00000000757eeba1 6 bytes JMP 000000016755de15 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!OleInitialize 00000000757eefd7 5 bytes JMP 000000016755ddcd .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!CoGetClassObject 00000000758054ad 5 bytes JMP 000000016755fdbb .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!CoInitializeEx 00000000758109ad 5 bytes JMP 000000016755dd6d .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!CoUninitialize 00000000758186d3 5 bytes JMP 00000001675607cf .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075819d0b 5 bytes JMP 00000001675614ec .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000075819d4e 5 bytes JMP 000000016755f3c7 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 000000007583bb09 7 bytes JMP 000000016755dee6 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!CoRevokeClassObject 000000007585eacf 5 bytes JMP 000000016755fa7c .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!CoGetInstanceFromFile 000000007589340b 5 bytes JMP 00000001675608cf .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\ole32.dll!OleRegEnumFormatEtc 00000000758dcfd9 5 bytes JMP 000000016755de56 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\oleaut32.dll!SysFreeString 0000000074fe3e59 5 bytes JMP 0000000165a20b7f .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\oleaut32.dll!VariantClear 0000000074fe3eae 5 bytes JMP 0000000165a3d70c .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\oleaut32.dll!SysAllocStringByteLen 0000000074fe4731 5 bytes JMP 0000000165a88714 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\oleaut32.dll!VariantChangeType 0000000074fe5dee 5 bytes JMP 0000000165aba6a0 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\oleaut32.dll!RegisterActiveObject 00000000750127ce 5 bytes JMP 00000001675603db .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\oleaut32.dll!RevokeActiveObject 00000000750132c4 5 bytes JMP 000000016755dd25 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\oleaut32.dll!GetActiveObject 0000000075028f80 5 bytes JMP 000000016756056f .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 ? C:\windows\system32\mssprxy.dll [5352] entry point in ".rdata" section 000000005c6f71e6 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[5352] C:\Program Files\Microsoft Office 15\Root\Office15\outlrpc.dll!MAPIRevokeMoniker@4 + 657 000000005b15287c 4 bytes [42, 6C, C0, 3A] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5876:6080] 000007fef9352bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5876:5204] 000007fef3845124 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\outlook.exe [5352] 00000000659c0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\outlook.exe [5352] 000000005f2d0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\outlook.exe [5352] 000000005c5d0000 Library C:\Program Files (x86)\Common Files\SYSTEM\MSMAPI\1045\MSMAPI32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\outlook.exe [5352] 000000005bae0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSLID.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\outlook.exe [5352] 000000005ae90000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485ab6f0a818 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485ab6f0fdcf Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485ab6f0fde7 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485ab6f0a818 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485ab6f0fdcf (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485ab6f0fde7 (not active ControlSet) ---- EOF - GMER 2.1 ----