GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-14 23:06:42 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000025 ST1000LM024_HN-M101MBB rev.2AR10002 931,51GB Running: zy6yzbws.exe; Driver: C:\Users\Edyta\AppData\Local\Temp\uwldapow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000187200 15 bytes [00, 65, F4, 01, 80, 7D, 6A, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 17 fffff96000187211 10 bytes [F3, FB, FF, 00, 17, C7, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\atiesrxx.exe[980] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[980] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[980] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[980] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1184] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1184] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1184] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1184] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1272] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1272] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1272] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1272] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1756] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1756] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1756] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1756] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\EscSvc64.exe[1876] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\EscSvc64.exe[1876] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\EscSvc64.exe[1876] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\EscSvc64.exe[1876] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1900] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1900] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1900] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1900] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1900] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffbd2631f6a 4 bytes [63, D2, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1900] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffbd2631f82 4 bytes [63, D2, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2084] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2084] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2084] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2084] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2276] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2276] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2276] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2276] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3340] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3340] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3340] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3340] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[4228] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffbd2631f6a 4 bytes [63, D2, FB, 7F] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[4228] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffbd2631f82 4 bytes [63, D2, FB, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4584] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffbd2631f6a 4 bytes [63, D2, FB, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4584] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffbd2631f82 4 bytes [63, D2, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[5556] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[5556] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[5556] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[5556] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\Windows\System32\igfxpers.exe[3868] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\Windows\System32\igfxpers.exe[3868] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\Windows\System32\igfxpers.exe[3868] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\Windows\System32\igfxpers.exe[3868] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] .text C:\Users\Edyta\Downloads\FRST64.exe[1280] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffbd2631f6a 4 bytes [63, D2, FB, 7F] .text C:\Users\Edyta\Downloads\FRST64.exe[1280] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffbd2631f82 4 bytes [63, D2, FB, 7F] .text C:\Users\Edyta\Downloads\FRST64.exe[1280] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbdcff169a 4 bytes [FF, DC, FB, 7F] .text C:\Users\Edyta\Downloads\FRST64.exe[1280] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbdcff16a2 4 bytes [FF, DC, FB, 7F] .text C:\Users\Edyta\Downloads\FRST64.exe[1280] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbdcff181a 4 bytes [FF, DC, FB, 7F] .text C:\Users\Edyta\Downloads\FRST64.exe[1280] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbdcff1832 4 bytes [FF, DC, FB, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3120:2228] 0000000000c11c24 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3120:4220] 0000000066cde54e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3120:2736] 000000006508eec8 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3120:2752] 000000006508eec8 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3120:3216] 000000006508eec8 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3120:1936] 000000006531319b Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3120:1488] 0000000065627019 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3120:4396] 0000000064751892 Thread C:\WINDOWS\system32\csrss.exe [5636:772] fffff96000996b90 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4136:2812] 00000000014e1f36 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4136:4980] 0000000001000060 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4136:1484] 0000000072cca301 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\HWDeviceService64.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\HWDeviceService64.exe [1944](2010-11-16 13:38:16) 00007ff675ba0000 Process C:\Users\Edyta\AppData\Roaming\T-Mobile Internet Manager\ouc.exe (*** suspicious ***) @ C:\Users\Edyta\AppData\Roaming\T-Mobile Internet Manager\ouc.exe [6136] (Online Update Clinet/Huawei Technologies Co., Ltd.)(2014-12-18 21:46:32) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----