GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-19 19:34:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST500LT0 rev.0001 465,76GB Running: gmer.exe; Driver: C:\Users\Komputer\AppData\Local\Temp\pgldyaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17 0000000076561401 2 bytes JMP 753bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17 0000000076561419 2 bytes JMP 753bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17 0000000076561431 2 bytes JMP 75438f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42 000000007656144a 2 bytes CALL 75394885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17 00000000765614dd 2 bytes JMP 75438832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17 00000000765614f5 2 bytes JMP 75438a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17 000000007656150d 2 bytes JMP 75438728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17 0000000076561525 2 bytes JMP 75438af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17 000000007656153d 2 bytes JMP 753afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17 0000000076561555 2 bytes JMP 753b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17 000000007656156d 2 bytes JMP 75438ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17 0000000076561585 2 bytes JMP 75438b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17 000000007656159d 2 bytes JMP 754386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17 00000000765615b5 2 bytes JMP 753afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17 00000000765615cd 2 bytes JMP 753bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20 00000000765616b2 2 bytes JMP 75438eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3492] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31 00000000765616bd 2 bytes JMP 75438681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076561401 2 bytes JMP 753bb20b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076561419 2 bytes JMP 753bb336 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076561431 2 bytes JMP 75438f39 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007656144a 2 bytes CALL 75394885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765614dd 2 bytes JMP 75438832 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765614f5 2 bytes JMP 75438a08 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007656150d 2 bytes JMP 75438728 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076561525 2 bytes JMP 75438af2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007656153d 2 bytes JMP 753afc98 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076561555 2 bytes JMP 753b68df C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007656156d 2 bytes JMP 75438ff1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076561585 2 bytes JMP 75438b52 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007656159d 2 bytes JMP 754386ec C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765615b5 2 bytes JMP 753afd31 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765615cd 2 bytes JMP 753bb2cc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765616b2 2 bytes JMP 75438eb4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Lenovo\Intelligent Touchpad\TouchZone.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765616bd 2 bytes JMP 75438681 C:\Windows\syswow64\KERNEL32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076561401 2 bytes JMP 753bb20b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076561419 2 bytes JMP 753bb336 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076561431 2 bytes JMP 75438f39 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007656144a 2 bytes CALL 75394885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765614dd 2 bytes JMP 75438832 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765614f5 2 bytes JMP 75438a08 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007656150d 2 bytes JMP 75438728 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076561525 2 bytes JMP 75438af2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007656153d 2 bytes JMP 753afc98 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076561555 2 bytes JMP 753b68df C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007656156d 2 bytes JMP 75438ff1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076561585 2 bytes JMP 75438b52 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007656159d 2 bytes JMP 754386ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765615b5 2 bytes JMP 753afd31 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765615cd 2 bytes JMP 753bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765616b2 2 bytes JMP 75438eb4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\rundll32.exe[3912] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765616bd 2 bytes JMP 75438681 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689d19a680 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689d19a680@b0358d999cee 0x97 0x25 0x80 0xC4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689d19a680@0021fec14525 0xE2 0x22 0x8F 0x7C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689d19a680@88c6260e6bf5 0x71 0x26 0xE6 0x1F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689d19a680@8455a599873d 0xD5 0x7A 0xC0 0xEB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689d19a680@e8cba1f52eae 0x9C 0xBB 0xA4 0xF2 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689d19a680 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689d19a680@b0358d999cee 0x97 0x25 0x80 0xC4 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689d19a680@0021fec14525 0xE2 0x22 0x8F 0x7C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689d19a680@88c6260e6bf5 0x71 0x26 0xE6 0x1F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689d19a680@8455a599873d 0xD5 0x7A 0xC0 0xEB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689d19a680@e8cba1f52eae 0x9C 0xBB 0xA4 0xF2 ... ---- EOF - GMER 2.1 ----