GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-20 16:36:46 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000061 TOSHIBA_ rev.GJ10 298,09GB Running: 4u8gq18c.exe; Driver: C:\Users\Ola\AppData\Local\Temp\uxriqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076618791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000077491401 2 bytes JMP 7663b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000077491419 2 bytes JMP 7663b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000077491431 2 bytes JMP 766b9099 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007749144a 2 bytes CALL 766148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000774914dd 2 bytes JMP 766b898f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000774914f5 2 bytes JMP 766b8b68 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007749150d 2 bytes JMP 766b8885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077491525 2 bytes JMP 766b8c52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007749153d 2 bytes JMP 7662fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000077491555 2 bytes JMP 76636937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007749156d 2 bytes JMP 766b9151 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000077491585 2 bytes JMP 766b8cb2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007749159d 2 bytes JMP 766b8849 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000774915b5 2 bytes JMP 7662fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000774915cd 2 bytes JMP 7663b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000774916b2 2 bytes JMP 766b9014 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000774916bd 2 bytes JMP 766b87de C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077491401 2 bytes JMP 7663b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077491419 2 bytes JMP 7663b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077491431 2 bytes JMP 766b9099 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007749144a 2 bytes CALL 766148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774914dd 2 bytes JMP 766b898f C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774914f5 2 bytes JMP 766b8b68 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007749150d 2 bytes JMP 766b8885 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077491525 2 bytes JMP 766b8c52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007749153d 2 bytes JMP 7662fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077491555 2 bytes JMP 76636937 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007749156d 2 bytes JMP 766b9151 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077491585 2 bytes JMP 766b8cb2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007749159d 2 bytes JMP 766b8849 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774915b5 2 bytes JMP 7662fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774915cd 2 bytes JMP 7663b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774916b2 2 bytes JMP 766b9014 C:\Windows\syswow64\kernel32.dll .text C:\Users\Ola\AppData\Roaming\Spotify\Spotify.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774916bd 2 bytes JMP 766b87de C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe [4048:4052] 00000000004748da ---- EOF - GMER 2.1 ----