GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-06 23:38:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 GOODRAM_C40 rev.S9FM01.8 111,79GB Running: fiquq7fe.exe; Driver: C:\Users\mateusz\AppData\Local\Temp\pwryypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text C:\Users\mateusz\AppData\Roaming\SkypEmoticons\SE.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text C:\Users\mateusz\AppData\Roaming\SkypEmoticons\SE.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text C:\Users\mateusz\AppData\Roaming\CYF\CYF.exe[4404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text C:\Users\mateusz\AppData\Roaming\CYF\CYF.exe[4404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text D:\Steam\Steam.exe[5192] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text D:\Steam\Steam.exe[5192] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text D:\Steam\bin\steamwebhelper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text D:\Steam\bin\steamwebhelper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text D:\Steam\bin\steamwebhelper.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text D:\Steam\bin\steamwebhelper.exe[4272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text D:\Steam\bin\steamwebhelper.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text D:\Steam\bin\steamwebhelper.exe[828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\2a617352-d396-46a3-a71b-5d89535356cf\updater.exe[5372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text C:\Program Files (x86)\Common Files\2a617352-d396-46a3-a71b-5d89535356cf\updater.exe[5372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text C:\ProgramData\2a617352-d396-46a3-a71b-5d89535356cf\plugincontainer.exe[708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text C:\ProgramData\2a617352-d396-46a3-a71b-5d89535356cf\plugincontainer.exe[708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text C:\ProgramData\2a617352-d396-46a3-a71b-5d89535356cf\plugins\3\plugin.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text C:\ProgramData\2a617352-d396-46a3-a71b-5d89535356cf\plugins\3\plugin.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 .text C:\ProgramData\2a617352-d396-46a3-a71b-5d89535356cf\plugins\3\plugin.exe[1400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e41465 2 bytes [E4, 74] .text C:\ProgramData\2a617352-d396-46a3-a71b-5d89535356cf\plugins\3\plugin.exe[1400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e414bb 2 bytes [E4, 74] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\rundll32.exe [1584:1832] 000000007ed9af20 Thread C:\Windows\SysWOW64\rundll32.exe [1584:4972] 000000007ec5a8b0 Thread C:\Windows\SysWOW64\rundll32.exe [4616:4976] 000000007ee7f330 Thread C:\Windows\SysWOW64\rundll32.exe [4616:5188] 000000007ec5a800 ---- Processes - GMER 2.1 ---- Process C:\Users\mateusz\AppData\Roaming\CYF\CYF.exe (*** suspicious ***) @ C:\Users\mateusz\AppData\Roaming\CYF\CYF.exe [4404] (SkypeFall.exe/SkypeFall)(2015-03-06 10:23:32) 0000000000e10000 ---- EOF - GMER 2.1 ----