GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-23 22:22:30 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 SAMSUNG_HD502HI rev.1AG01118 465,76GB Running: k01jtfor.exe; Driver: C:\Users\Adrian\AppData\Local\Temp\uxldrpod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000104c00 7 bytes [00, 93, F3, FF, 41, A4, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000104c08 3 bytes [00, 07, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2180] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077162ab1 5 bytes JMP 0000000101382ac0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075351401 2 bytes JMP 753cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075351419 2 bytes JMP 753cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075351431 2 bytes JMP 75448ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007535144a 2 bytes CALL 753a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753514dd 2 bytes JMP 754487a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753514f5 2 bytes JMP 75448978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007535150d 2 bytes JMP 75448698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075351525 2 bytes JMP 75448a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007535153d 2 bytes JMP 753bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075351555 2 bytes JMP 753c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007535156d 2 bytes JMP 75448f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075351585 2 bytes JMP 75448ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007535159d 2 bytes JMP 7544865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753515b5 2 bytes JMP 753bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753515cd 2 bytes JMP 753cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753516b2 2 bytes JMP 75448e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753516bd 2 bytes JMP 754485f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000730011a8 2 bytes [00, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000007300127d 2 bytes CALL 753a14b9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 0000000073001310 2 bytes CALL 753a14b9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000730013a8 2 bytes [00, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000073001422 2 bytes [00, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4616] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000073001498 2 bytes [00, 73] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1392:2912] 000007fefa989688 ---- Processes - GMER 2.1 ---- Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\Qt5Core.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-02-27 14:47:20) 000000006d670000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-02-27 14:48:40) 000007feefe30000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-02-27 14:50:40) 0000000066850000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\Qt5Network.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-02-27 14:47:52) 000000006e0c0000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-02-27 14:47:32) 000000006e7c0000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\quazip.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004](2014-02-28 09:14:02) 000007fef57e0000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004](2014-02-27 14:51:48) 000007fef3470000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\sqldrivers\qsqlite.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004](2014-02-27 14:51:02) 000007fef3b60000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\imageformats\qgif.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004](2014-02-27 14:51:18) 000007fefa5a0000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004](2014-02-27 14:51:12) 000007fef5710000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\accessible\qtaccessiblewidgets.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004](2014-02-27 14:51:18) 000007fef33a0000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ssleay32.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004] (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/)(2014-06-05 13:48:20) 000007feefc60000 Library C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\LIBEAY32.dll (*** suspicious ***) @ C:\Users\Adrian\AppData\Local\TeamSpeak 3 Client\ts3client_win64.exe [2004] (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/)(2014-06-05 13:48:20) 000007feefac0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{125C4FAF-8776-4E90-A306-1BB7AC348470}@LeaseObtainedTime 1432409969 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{125C4FAF-8776-4E90-A306-1BB7AC348470}@T1 1432410248 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{125C4FAF-8776-4E90-A306-1BB7AC348470}@T2 1432410473 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{125C4FAF-8776-4E90-A306-1BB7AC348470}@LeaseTerminatesTime 1432410569 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3531A543-B57D-3BC6-DCA3-B9E41B275812} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3531A543-B57D-3BC6-DCA3-B9E41B275812}@maildnacpdpeldolcojpcadfnp 0x6F 0x61 0x62 0x65 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\dla oli\sleeping dogs\Sleeping Dogs\x2122 Definitive Edition (u1) [R.G. Games]\Setup.exe 1 ---- Files - GMER 2.1 ---- File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\C7B032B8D1D267DE8417C6B7C500CC6B32966B3E 8782 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\8420B70CDDA536DDCE5227C035A6C193A5F6D40A 3877 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\75C11A79B0554487FDF3FCF075308CEDF8629630 0 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\9EA4DBAB0E0BFA90A171CFE3BF14E7FB17C52ED5 3479 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\9EFBA4B6D40A3EBB6292064A119BB446EA9AB096 4199 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\5C2491A5D4C35D7EA661AA7EDDFF57093CF7BE7B 0 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\7FE1B4A2FB3C0062C6A624F4E53A7801B9D0EF21 4217 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\A51D3305CE0806FC4C77A8EDB640AA72EE7CD220 22104 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\B0710B51AA51BB5CA5EB84A8CD4D25BF71A81106 0 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\402D15254D494231C8A0CD711223BE3AC0C782FB 1242 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\EB61006096E759606E583EE9E8A9132AE19E96D8 0 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\82679508B21C3EB0A167365D2F349266BCFE717A 0 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\B26AD7CE5988BBD97D9B768097549B78814542A7 10775 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\35BD9F609D570CF8E4136B41C3D8C934EF83559E 16615 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\3DA575FA1A8C5F005889997FCEBDBE57E8B49FB7 3483 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\216EBE77B485470F2793CDB3BFBA61F510FBC85A 0 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\07913B5C27EBCF53FE0A9EE9F2D59CC90DACAC16 3423 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\CF5103284D653807D076906179C32F1335657CA9 3481 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\571CECD595047DE131647C2D7820BE666107B906 9404 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\D78AD7146ADC7F3EDCD4D2E21ADCCE34CBDB749E 3562 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\A91CB1ADAF903AD998DC2BD0F4A3A8B8FDD2B69D 0 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\B63EA3A68DEE8FE1EE3F631BD0D667691CA2DE0E 3907 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\E0C2E17071442A90699D3BAB4E27DA03707C2DCF 22101 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\20E2F17235387B99AE5213B1ECFEB549B2886302 3993 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\4E828CDC8D8616722F62C4FAC4D04B74AE28491E 23693 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\6AC539CD9EB79879A00F546B97D6FA993709B686 33027 bytes File C:\Users\Adrian\AppData\Local\Mozilla\Firefox\Profiles\mucdrqir.default-1424195479968\cache2\entries\6ED409CDEE893C7386794C5A79DFE2A69BEB05EE 4181 bytes ---- EOF - GMER 2.1 ----