GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-29 09:33:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE3O 465,76GB Running: yrsf1y75.exe; Driver: C:\Users\Wiktor\AppData\Local\Temp\awrdqpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[520] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074ee8791 6 bytes {JMP QWORD [RIP+0x71ae001e]} .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[520] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075aa2c9e 4 bytes CALL 71ac0000 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3040] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074ee8791 4 bytes [C2, 04, 00, 00] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE[USER32.dll!MoveWindow] [7fef8941830] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE[USER32.dll!DeferWindowPos] [7fef8941ba0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE[USER32.dll!SetWindowPos] [7fef89419e0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!MoveWindow] [7fef8941830] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowPos] [7fef89419e0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DeferWindowPos] [7fef8941ba0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\ole32.dll[USER32.dll!MoveWindow] [7fef8941830] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!MoveWindow] [7fef8941830] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!SetWindowPos] [7fef89419e0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\DUI70.dll[USER32.dll!SetWindowPos] [7fef89419e0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\IMM32.dll[USER32.dll!SetWindowPos] [7fef89419e0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\MSCTF.dll[USER32.dll!MoveWindow] [7fef8941830] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWindowPos] [7fef89419e0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowPos] [7fef89419e0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!MoveWindow] [7fef8941830] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!SetWindowPos] [7fef89419e0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!DeferWindowPos] [7fef8941ba0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowPos] [7fef89419e0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!MoveWindow] [7fef8941830] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1064:1696] 000007fef9c859a0 Thread C:\Windows\System32\svchost.exe [1064:4156] 000007fef55b44e0 Thread C:\Windows\System32\svchost.exe [1064:3228] 000007fef60220c0 Thread C:\Windows\System32\svchost.exe [1064:3060] 000007fef60226a8 Thread C:\Windows\System32\svchost.exe [1064:5932] 000007fef5b389b8 Thread C:\Windows\System32\svchost.exe [1064:1208] 000007fef584a2b0 Thread C:\Windows\System32\spoolsv.exe [1540:3328] 000007fef65e10c8 Thread C:\Windows\System32\spoolsv.exe [1540:3384] 000007fef63d6144 Thread C:\Windows\System32\spoolsv.exe [1540:3388] 000007fef61a5fd0 Thread C:\Windows\System32\spoolsv.exe [1540:3400] 000007fef6193438 Thread C:\Windows\System32\spoolsv.exe [1540:3404] 000007fef61a63ec Thread C:\Windows\System32\spoolsv.exe [1540:3440] 000007fef69a5e5c Thread C:\Windows\System32\svchost.exe [4200:5568] 000007fef2b997fc Thread C:\Windows\System32\svchost.exe [4200:5572] 000007fef2ba6a04 Thread C:\Windows\System32\svchost.exe [4200:5588] 000007fef2b9df84 Thread C:\Windows\System32\svchost.exe [4200:2024] 000007fef2b9bc88 Thread C:\Windows\System32\svchost.exe [4200:5428] 000007fef26b9688 Thread C:\Windows\System32\svchost.exe [6352:6452] 000007fef292abc0 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1952] (Windows SysTool /Windows SysTool)(2015-02-05 17:02:55) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68b26994 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68b26994@001e45e1eee5 0xD4 0x49 0x07 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68b26994@a8f2742645c5 0xD4 0x69 0xC2 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68b26994@1cb09469de50 0x28 0xC0 0xAF 0x05 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68b26994@08fc8880ab17 0x0D 0x60 0x8C 0x78 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68b26994 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68b26994@001e45e1eee5 0xD4 0x49 0x07 0xEA ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68b26994@a8f2742645c5 0xD4 0x69 0xC2 0x25 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68b26994@1cb09469de50 0x28 0xC0 0xAF 0x05 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68b26994@08fc8880ab17 0x0D 0x60 0x8C 0x78 ... ---- EOF - GMER 2.1 ----