GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-10 23:53:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE3O 465,76GB Running: pli3q54l.exe; Driver: C:\Users\Ewa\AppData\Local\Temp\uxriipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076b71401 2 bytes JMP 76a9b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076b71419 2 bytes JMP 76a9b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076b71431 2 bytes JMP 76b18f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076b7144a 2 bytes CALL 76a7489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076b714dd 2 bytes JMP 76b18822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076b714f5 2 bytes JMP 76b189f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076b7150d 2 bytes JMP 76b18718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076b71525 2 bytes JMP 76b18ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076b7153d 2 bytes JMP 76a8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076b71555 2 bytes JMP 76a968ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076b7156d 2 bytes JMP 76b18fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076b71585 2 bytes JMP 76b18b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076b7159d 2 bytes JMP 76b186dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076b715b5 2 bytes JMP 76a8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076b715cd 2 bytes JMP 76a9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076b716b2 2 bytes JMP 76b18ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076b716bd 2 bytes JMP 76b18671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076b71401 2 bytes JMP 76a9b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076b71419 2 bytes JMP 76a9b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076b71431 2 bytes JMP 76b18f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076b7144a 2 bytes CALL 76a7489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076b714dd 2 bytes JMP 76b18822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076b714f5 2 bytes JMP 76b189f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076b7150d 2 bytes JMP 76b18718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076b71525 2 bytes JMP 76b18ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076b7153d 2 bytes JMP 76a8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076b71555 2 bytes JMP 76a968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076b7156d 2 bytes JMP 76b18fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076b71585 2 bytes JMP 76b18b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076b7159d 2 bytes JMP 76b186dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076b715b5 2 bytes JMP 76a8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076b715cd 2 bytes JMP 76a9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076b716b2 2 bytes JMP 76b18ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076b716bd 2 bytes JMP 76b18671 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[4532] C:\Windows\system32\OLEAUT32.dll!VariantClear 000007fefd201180 5 bytes JMP 000007ffbd0702f8 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[4532] C:\Windows\system32\OLEAUT32.dll!SysFreeString 000007fefd201320 7 bytes JMP 000007ffbd070238 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[4532] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 000007fefd204470 6 bytes JMP 000007ffbd0701d8 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[4532] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 000007fefd206720 10 bytes JMP 000007ffbd070298 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1920] (GG drive overlay/GG Network S.A.)(2012-04-26 18:40:11) 000000005c080000 Library C:\ProgramData\GG\ggdrive\ggdrive-proxy.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1920] (GG drive proxy/GG Network S.A.)(2012-04-26 18:40:11) 00000000590b0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68d8ddc2 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68d8ddc2@0026cc8e0d73 0xFF 0xBE 0x0B 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68d8ddc2@505663a831ef 0x6F 0xF2 0xD6 0x9E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68d8ddc2@980d2e45f574 0x99 0x12 0x8B 0xD9 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68d8ddc2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68d8ddc2@0026cc8e0d73 0xFF 0xBE 0x0B 0xEA ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68d8ddc2@505663a831ef 0x6F 0xF2 0xD6 0x9E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68d8ddc2@980d2e45f574 0x99 0x12 0x8B 0xD9 ... ---- Files - GMER 2.1 ---- File C:\Users\Ewa\AppData\Local\Microsoft\Office\OTeleData_4532_8.etl 65536 bytes File C:\Users\Ewa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I2L23LBQ\K53SC[1].idx 4246 bytes ---- EOF - GMER 2.1 ----