GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-27 21:40:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10JPVX-75JC3T0 rev.01.01A01 931,51GB Running: yohv35bv.exe; Driver: C:\Users\Krystian\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\YbbayXorNC\GEDaPsL.exe[2492] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075481465 2 bytes [48, 75] .text C:\ProgramData\YbbayXorNC\GEDaPsL.exe[2492] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000754814bb 2 bytes [48, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075481465 2 bytes [48, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754814bb 2 bytes [48, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[956] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000731111a8 2 bytes [11, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[956] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000731113a8 2 bytes [11, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[956] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000073111422 2 bytes [11, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[956] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000073111498 2 bytes [11, 73] .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!DispatchMessageW 000000007684787b 5 bytes JMP 0000000164d58330 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!DispatchMessageA 0000000076847bbb 5 bytes JMP 0000000164d58300 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076848a29 5 bytes JMP 0000000164d58d10 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076848e4e 5 bytes JMP 0000000164d58490 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!DestroyWindow 0000000076849a55 5 bytes JMP 0000000164d58460 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007684d22e 5 bytes JMP 0000000164d58bd0 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!PeekMessageW 00000000768505ba 5 bytes JMP 0000000164d58650 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076850dfb 5 bytes JMP 0000000164d58360 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!EndPaint 0000000076851341 5 bytes JMP 0000000164d58730 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000076851361 5 bytes JMP 0000000164d586d0 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindowIndirect 00000000768528da 5 bytes JMP 0000000164d58b50 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!SetCursor 00000000768541f6 5 bytes JMP 0000000164d57c00 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!PeekMessageA 0000000076855f74 5 bytes JMP 0000000164d585f0 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000076857b3b 5 bytes JMP 0000000164d586b0 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!AnimateWindow 000000007685b531 5 bytes JMP 0000000164d58500 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!UpdateLayeredWindow 000000007685ba4a 5 bytes JMP 0000000164d58a80 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!WindowFromPoint 000000007686ed12 5 bytes JMP 0000000164d57c20 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!SetCapture 000000007686ed56 5 bytes JMP 0000000164d585d0 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007686f170 5 bytes JMP 0000000164d58590 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000074b25ea6 5 bytes JMP 0000000164d57c50 .text C:\PROGRA~2\Raptr\raptr.exe[1984] C:\Windows\syswow64\GDI32.dll!StretchBlt 0000000074b2b895 5 bytes JMP 0000000164d57ed0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4688:3860] 000007fefb072bf8 ---- Processes - GMER 2.1 ---- Process C:\Users\Krystian\AppData\Roaming\WHService\wh.exe (*** suspicious ***) @ C:\Users\Krystian\AppData\Roaming\WHService\wh.exe [2444](2014-12-17 21:32:17) 0000000000400000 Library C:\Users\Krystian\AppData\Roaming\WHService\sub\default.dll (*** suspicious ***) @ C:\Users\Krystian\AppData\Roaming\WHService\wh.exe [2444](2014-12-17 21:32:27) 0000000002e00000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0071cc013982 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\645a0498cd89 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\8056f2822cb6 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0071cc013982 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\645a0498cd89 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\8056f2822cb6 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3E36DE1-0782-4F25-2883-B55EF60BB700} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3E36DE1-0782-4F25-2883-B55EF60BB700}@dbabfdpomnnlgmhdnifchmpokbpeibicgaefgame 0x68 0x61 0x6A 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3E36DE1-0782-4F25-2883-B55EF60BB700}@jbabfdpomnnlgmhdnifckpbdmeobganfioipleoojelgndbbelnc 0x68 0x61 0x6A 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A3E36DE1-0782-4F25-2883-B55EF60BB700}@dbabfdpomnnlgmhdnifcepgnckbmcchppiikbnbn 0x62 0x61 0x67 0x6F ... ---- EOF - GMER 2.1 ----