GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-10 14:05:06 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: e80hgcs6.exe; Driver: C:\Users\BARTEK~1\AppData\Local\Temp\ufldqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076121401 2 bytes JMP 751ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076121419 2 bytes JMP 751db513 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076121431 2 bytes JMP 75258609 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007612144a 2 bytes CALL 751b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761214dd 2 bytes JMP 75257efe C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761214f5 2 bytes JMP 752580d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007612150d 2 bytes JMP 75257df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076121525 2 bytes JMP 752581c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007612153d 2 bytes JMP 751cf088 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076121555 2 bytes JMP 751db885 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007612156d 2 bytes JMP 752586c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076121585 2 bytes JMP 75258222 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007612159d 2 bytes JMP 75257db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761215b5 2 bytes JMP 751cf121 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761215cd 2 bytes JMP 751db29f C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761216b2 2 bytes JMP 75258584 C:\Windows\syswow64\kernel32.dll .text C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761216bd 2 bytes JMP 75257d4d C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Processes - GMER 2.1 ---- Process C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe (*** suspicious ***) @ C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe [1832] (tsvr.com/tsvr.com)(2015-09-21 01:37:08) 0000000000af0000 Library C:\Users\BartekRos\AppData\Roaming\TSv\MSVCP100.dll (*** suspicious ***) @ C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe [1832] (Microsoft® C Runtime Library/Microsoft Corporation)(2015-06-19 10:07:20) 00000000734d0000 Library C:\Users\BartekRos\AppData\Roaming\TSv\MSVCR100.dll (*** suspicious ***) @ C:\Users\BartekRos\AppData\Roaming\TSv\TSvr.exe [1832] (Microsoft® C Runtime Library/Microsoft Corporation)(2015-06-19 10:07:20) 0000000070620000 Process C:\ProgramData\BWdsManProB\WdsManPro.exe (*** suspicious ***) @ C:\ProgramData\BWdsManProB\WdsManPro.exe [2128] (DTools/DTools LIMITED)(2015-10-10 07 00000000013c0000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6DC2BB77-5EF9-4238-954D-0EFF62D014D1}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [1408] (Microsoft Malware Protection Engine/Microsoft Corporation)(2014-12-16 11:25:56) 000007feed940000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00265ea20d3e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00265ea20d3e@70f927cac208 0x51 0xE9 0x7F 0x72 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00265ea20d3e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00265ea20d3e@70f927cac208 0x51 0xE9 0x7F 0x72 ... ---- EOF - GMER 2.1 ----