GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-09 15:34:53 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 WDC_WD32 rev.01.0 298,09GB Running: 6gdf2f5i.exe; Driver: C:\Users\yammo.it\AppData\Local\Temp\pxloqpow.sys ---- User code sections - GMER 2.1 ---- ? C:\Windows\SYSTEM32\BsHelpCSps.dll [1592] entry point in ".data" section 00000000025e5055 .text C:\Program Files (x86)\AVG PC TuneUp 2014\TuneUpUtilitiesService64.exe[2108] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007feb5da177a 4 bytes [DA, B5, FE, 07] .text C:\Program Files (x86)\AVG PC TuneUp 2014\TuneUpUtilitiesService64.exe[2108] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007feb5da1782 4 bytes [DA, B5, FE, 07] .text C:\Program Files (x86)\AVG PC TuneUp 2014\TuneUpUtilitiesApp64.exe[3468] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007feb5da177a 4 bytes [DA, B5, FE, 07] .text C:\Program Files (x86)\AVG PC TuneUp 2014\TuneUpUtilitiesApp64.exe[3468] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007feb5da1782 4 bytes [DA, B5, FE, 07] ? C:\Windows\SYSTEM32\BsHelpCSps.dll [1108] entry point in ".data" section 0000000003935055 ? C:\Windows\SYSTEM32\BlueSoleilCSps.dll [1108] entry point in ".rdata" section 0000000004284085 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [536:572] fffff960008445e8 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WPM\wprotectmanager.exe (*** suspicious ***) @ C:\ProgramData\WPM\wprotectmanager.exe [1208] (WPM Service/Cherished Technololgy LIMITED)(2 0000000000f40000 Process C:\Users\yammo.it\AppData\Roaming\VOPackage\VOsrv.exe (*** suspicious ***) @ C:\Users\yammo.it\AppData\Roaming\VOPackage\VOsrv.exe [2176](2014-04-01 09:28:22) 0000000000d10000 Process C:\Users\yammo.it\AppData\Local\fst_it_84\upfst_it_84.exe (*** suspicious ***) @ C:\Users\yammo.it\AppData\Local\fst_it_84\upfst_it_84.exe [4708](2014-04-02 08:24:18) 0000000001160000 Process C:\Users\yammo.it\AppData\Local\fst_it_148\upfst_it_148.exe (*** suspicious ***) @ C:\Users\yammo.it\AppData\Local\fst_it_148\upfst_it_148.exe [4780](2014-06-19 09:08:41) 0000000000090000 Library C:\Users\yammo.it\AppData\Local\Pokki\Engine\libPokki.dll (*** suspicious ***) @ C:\Users\yammo.it\AppData\Local\Pokki\Engine\pokki.exe [4972] (Chromium/The Chromium Authors)(2013-12-05 18:21:02) 0000000069120000 Library C:\Users\yammo.it\AppData\Local\Pokki\Engine\icudt.dll (*** suspicious ***) @ C:\Users\yammo.it\AppData\Local\Pokki\Engine\pokki.exe [4972] (ICU Data DLL/The ICU Project)(2013-09-07 02:11:12) 0000000070470000 Library C:\Users\yammo.it\AppData\Local\Pokki\Engine\libPokki.dll (*** suspicious ***) @ C:\Users\yammo.it\AppData\Local\Pokki\Engine\pokki.exe [4276] (Chromium/The Chromium Authors)(2013-12-05 18:21:02) 0000000069120000 Library C:\Users\yammo.it\AppData\Local\Pokki\Engine\icudt.dll (*** suspicious ***) @ C:\Users\yammo.it\AppData\Local\Pokki\Engine\pokki.exe [4276] (ICU Data DLL/The ICU Project)(2013-09-07 02:11:12) 0000000070470000 Library C:\Users\yammo.it\AppData\Local\Pokki\Engine\ppGoogleNaClPluginChrome.dll (*** suspicious ***) @ C:\Users\yammo.it\AppData\Local\Pokki\Engine\pokki.exe [4276](2013-09-07 02:11:12) 0000000068700000 Library C:\Users\yammo.it\AppData\Local\Pokki\Engine\avcodec-54.dll (*** suspicious ***) @ C:\Users\yammo.it\AppData\Local\Pokki\Engine\pokki.exe [4276](2013-09-07 02:11:12) 0000000068500000 Library C:\Users\yammo.it\AppData\Local\Pokki\Engine\avutil-51.dll (*** suspicious ***) @ C:\Users\yammo.it\AppData\Local\Pokki\Engine\pokki.exe [4276](2013-09-07 02:11:12) 00000000684d0000 Library C:\Users\yammo.it\AppData\Local\Pokki\Engine\avformat-54.dll (*** suspicious ***) @ C:\Users\yammo.it\AppData\Local\Pokki\Engine\pokki.exe [4276](2013-09-07 02:11:12) 0000000068490000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1065839900 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\8056f2259d94 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\a0-f3-c1-84-2c-4a@ClientLocalPort 56659 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\a0-f3-c1-84-2c-4a@AddressCreationTimestamp 0x60 0x09 0x0E 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\a0-f3-c1-84-2c-4a@TeredoAddress 2001:0:5ef5:79fb:3877:284f:dab2:8f75 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\a0-f3-c1-84-2c-4a@UPnPExternalPort 56659 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4438 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2899 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 848 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FAF26276-EA97-46C3-A0DD-F0593BAE1EC3}@LeaseObtainedTime 1425896526 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FAF26276-EA97-46C3-A0DD-F0593BAE1EC3}@T1 1425900126 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FAF26276-EA97-46C3-A0DD-F0593BAE1EC3}@T2 1425902826 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FAF26276-EA97-46C3-A0DD-F0593BAE1EC3}@LeaseTerminatesTime 1425903726 ---- Files - GMER 2.1 ---- File C:\Users\yammo.it\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R2JQJFUF\AdPortalWebServiceCAXZZA6U 0 bytes File C:\Users\yammo.it\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R2JQJFUF\gadot[8].js 177 bytes File C:\Users\yammo.it\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R2JQJFUF\cmEuY29tL2FwcHMvbXlzZWFyY2hkaWFsLzEuMy4xL3RsYnIuaHRtIiwid2lkdGgiOjEzNjYsImhlaWdodCI6NzY4LCJnbGJ2IjoibzczZDMxNzMxMCIsImFkZG9ubmFtZSI6IkJsb2NrQW5kU3VyZiJ9[1].js 3998 bytes File C:\Users\yammo.it\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R2JQJFUF\intextevalCAKZTNFZ.gif 0 bytes File C:\Users\yammo.it\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCAVX82Y\amz[4].js 15594 bytes File C:\Users\yammo.it\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCAVX82Y\amz[5].js 15594 bytes File C:\Users\yammo.it\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCAVX82Y\intextCAX4ALWG.js 560 bytes File C:\Users\yammo.it\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCAVX82Y\serveCAHR219Q.js 18225 bytes File C:\Users\yammo.it\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCAVX82Y\getJsonAdsCA2NRJST.json 19 bytes File C:\Users\yammo.it\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XCAVX82Y\mnu[1].js 7002 bytes ---- EOF - GMER 2.1 ----