GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-13 17:38:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1ER162 rev.CC45 931,51GB Running: ji6688gv.exe; Driver: C:\Users\Forma\AppData\Local\Temp\ugloypoc.sys ---- User code sections - GMER 2.1 ---- ? C:\Windows\system32\mssprxy.dll [2964] entry point in ".rdata" section 000000006d5471e6 .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077981401 2 bytes JMP 755fb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077981419 2 bytes JMP 755fb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077981431 2 bytes JMP 75678f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007798144a 2 bytes CALL 755d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000779814dd 2 bytes JMP 75678822 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000779814f5 2 bytes JMP 756789f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007798150d 2 bytes JMP 75678718 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077981525 2 bytes JMP 75678ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007798153d 2 bytes JMP 755efca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077981555 2 bytes JMP 755f68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007798156d 2 bytes JMP 75678fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077981585 2 bytes JMP 75678b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007798159d 2 bytes JMP 756786dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000779815b5 2 bytes JMP 755efd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000779815cd 2 bytes JMP 755fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000779816b2 2 bytes JMP 75678ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Forma\Downloads\HijackThis_2.0.4 (1).exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000779816bd 2 bytes JMP 75678671 C:\Windows\syswow64\kernel32.dll ---- EOF - GMER 2.1 ----