GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-17 01:20:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.MH00 298,09GB Running: 2ki68j6d.exe; Driver: C:\Users\Mariusz\AppData\Local\Temp\pwriykod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 74ffb1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 74ffb31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 75078f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 74fd4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 75078802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 750789d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 750786f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 75078ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 74fefc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 74ff68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 75078fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 75078b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 750786bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 74fefd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 74ffb2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 75078e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe[1252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 75078651 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 74ffb1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 74ffb31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 75078f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 74fd4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 75078802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 750789d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 750786f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 75078ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 74fefc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 74ff68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 75078fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 75078b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 750786bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 74fefd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 74ffb2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 75078e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe[1304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 75078651 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002713c84fd6 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52af05ec61 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002713c84fd6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52af05ec61 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----