GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-31 16:43:19 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0003 298,09GB Running: y3rrscdi.exe; Driver: C:\Users\Kasia\AppData\Local\Temp\fxldapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077721401 2 bytes JMP 75a5eb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077721419 2 bytes JMP 75a6b513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077721431 2 bytes JMP 75ae8609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007772144a 2 bytes CALL 75a41dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777214dd 2 bytes JMP 75ae7efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777214f5 2 bytes JMP 75ae80d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007772150d 2 bytes JMP 75ae7df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077721525 2 bytes JMP 75ae81c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007772153d 2 bytes JMP 75a5f088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077721555 2 bytes JMP 75a6b885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007772156d 2 bytes JMP 75ae86c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077721585 2 bytes JMP 75ae8222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007772159d 2 bytes JMP 75ae7db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777215b5 2 bytes JMP 75a5f121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777215cd 2 bytes JMP 75a6b29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777216b2 2 bytes JMP 75ae8584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777216bd 2 bytes JMP 75ae7d4d C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2624:2980] 0000000073bd52c9 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\MobileBrServ\mbbservice.exe (*** suspicious ***) @ C:\ProgramData\MobileBrServ\mbbservice.exe [1568](2015-03-23 13:35:28) 0000000000100000 ---- EOF - GMER 2.1 ----