GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-28 00:44:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5001AALS-00L3B2 rev.01.03B01 465,76GB Running: 5mcst1jo.exe; Driver: C:\Users\ROBERT\AppData\Local\Temp\uwrdypob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff800027bc000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 495 fffff800027bc02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text H:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE[5840] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter + 1 0000000077939041 11 bytes {MOV EAX, 0xffffffffe38b6c98; INC BYTE [RDI]; ADD [RAX], AL; JMP RAX} .text H:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE[5840] C:\Windows\system32\ole32.dll!OleLoadFromStream 000007feff8275f0 5 bytes JMP 000007fffe9300d8 .text H:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE[5840] C:\Windows\system32\OLEAUT32.dll!VariantClear 000007fefddd1180 5 bytes JMP 000007fefe9301b8 .text H:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE[5840] C:\Windows\system32\OLEAUT32.dll!SysFreeString 000007fefddd1320 7 bytes JMP 000007fefe930148 .text H:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE[5840] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 000007fefddd4470 6 bytes JMP 000007fefe930110 .text H:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE[5840] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 000007fefddd6720 10 bytes JMP 000007fefe930180 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2144] C:\Windows\syswow64\WININET.dll!InternetCloseHandle 0000000076c43fa0 5 bytes JMP 000000016de7d7d0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2144] C:\Windows\syswow64\WININET.dll!HttpOpenRequestW 0000000076c48760 5 bytes JMP 000000016de7d3f0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2144] C:\Windows\syswow64\WININET.dll!InternetConnectW 0000000076c4c410 5 bytes JMP 000000016de7d160 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2144] C:\Windows\syswow64\WININET.dll!InternetReadFile 0000000076c54fb0 5 bytes JMP 000000016de7d770 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2144] C:\Windows\syswow64\WININET.dll!InternetQueryDataAvailable 0000000076c63290 5 bytes JMP 000000016de7d820 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b41465 2 bytes [B4, 76] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b414bb 2 bytes [B4, 76] .text ... * 2 .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[5988] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077936440 5 bytes JMP 00000001656eedc0 .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[5988] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077936530 5 bytes JMP 00000001656eeca0 .text c:\PROGRA~2\mcafee\SITEAD~1\saui.exe[4588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b41465 2 bytes [B4, 76] .text c:\PROGRA~2\mcafee\SITEAD~1\saui.exe[4588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b414bb 2 bytes [B4, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\mfevtps.exe[5080] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13fbf1cb0] C:\Windows\system32\mfevtps.exe ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???\lo????????N??????\????D\te??{8ECC055D-047F-11D1-A537-0000F8753ED1}?ERT??? &??????c?????mp\??McAfee Inc. cfwids?Fil???????????????????????????\???????????????????g???????????e???????????????x?xnl???????????????????????????????\???????????x??????\A??????????????????????????PlugPlay????? ?????????????????????0???????????????????????x?????????????????,????*??????g???????????????????????e??????????NVIDIA?ft??????,????? ????????????????B???????????L?????????????????????????????????????????????????ys??? ????????????????????????????&???6??????v???????????S??????????c:\program files\common files\logishrd\bluetooth\LBTServMsg.dll?:\???????????T???????a???????????\?????????e6\??c:\program files\common files\logishrd\bluetooth\LBTServMsg.dll?ca??? ???????m??????tD??? ?????????????~???????0??L????????? ???????? ??????????????? ?????????????????????0????????????&????????????????????\??????????????????????????????????????d????????????????h????????????????????$???????????????e???????P?p???????????????????????????? ????? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\ROBERT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\McAfee\McAfee LiveSafe \x2013 Internet Security.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee\McAfee LiveSafe \x2013 Internet Security.lnk 1 ---- EOF - GMER 2.1 ----