GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-01 11:27:25 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 WDC_WD1600AAJS-08PSA0 rev.05.06H05 149,05GB Running: xid7dghx.exe; Driver: C:\Users\Robert\AppData\Local\Temp\uwrdypob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075651401 2 bytes JMP 756deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075651419 2 bytes JMP 756eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075651431 2 bytes JMP 75768609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007565144a 2 bytes CALL 756c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000756514dd 2 bytes JMP 75767efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000756514f5 2 bytes JMP 757680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007565150d 2 bytes JMP 75767df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075651525 2 bytes JMP 757681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007565153d 2 bytes JMP 756df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075651555 2 bytes JMP 756eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007565156d 2 bytes JMP 757686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075651585 2 bytes JMP 75768222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007565159d 2 bytes JMP 75767db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000756515b5 2 bytes JMP 756df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000756515cd 2 bytes JMP 756eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000756516b2 2 bytes JMP 75768584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\Steam.exe[2672] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000756516bd 2 bytes JMP 75767d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\kernel32.dll!ExitProcess 00000000756c734e 5 bytes JMP 00000001001d0000 .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075651401 2 bytes JMP 756deb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075651419 2 bytes JMP 756eb513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075651431 2 bytes JMP 75768609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007565144a 2 bytes CALL 756c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756514dd 2 bytes JMP 75767efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756514f5 2 bytes JMP 757680d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007565150d 2 bytes JMP 75767df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075651525 2 bytes JMP 757681c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007565153d 2 bytes JMP 756df088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075651555 2 bytes JMP 756eb885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007565156d 2 bytes JMP 757686c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075651585 2 bytes JMP 75768222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007565159d 2 bytes JMP 75767db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756515b5 2 bytes JMP 756df121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756515cd 2 bytes JMP 756eb29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756516b2 2 bytes JMP 75768584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Temp\spdc32.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756516bd 2 bytes JMP 75767d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075651401 2 bytes JMP 756deb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075651419 2 bytes JMP 756eb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075651431 2 bytes JMP 75768609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007565144a 2 bytes CALL 756c1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756514dd 2 bytes JMP 75767efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756514f5 2 bytes JMP 757680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007565150d 2 bytes JMP 75767df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075651525 2 bytes JMP 757681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007565153d 2 bytes JMP 756df088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075651555 2 bytes JMP 756eb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007565156d 2 bytes JMP 757686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075651585 2 bytes JMP 75768222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007565159d 2 bytes JMP 75767db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756515b5 2 bytes JMP 756df121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756515cd 2 bytes JMP 756eb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756516b2 2 bytes JMP 75768584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756516bd 2 bytes JMP 75767d4d C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A6E2E8F4-A003-4247-8D57-FC6BB7178FB8}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3816] (Microsoft Malware Protection Engine/Microsoft Corporation)(2014-06-18 17:45:34) 000007fee8b50000 Library C:\Users\Robert\Downloads\FRST64.exe (*** suspicious ***) @ C:\Users\Robert\Downloads\FRST64.exe [4296] 000000013fd80000 ---- EOF - GMER 2.1 ----