GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-20 15:19:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD75 rev.02.0 698,64GB Running: g0uc5t2f.exe; Driver: C:\Users\ala\AppData\Local\Temp\uxriapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075921401 2 bytes JMP 75b4b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075921419 2 bytes JMP 75b4b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075921431 2 bytes JMP 75bc8fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007592144a 2 bytes CALL 75b2489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759214dd 2 bytes JMP 75bc88c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759214f5 2 bytes JMP 75bc8aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007592150d 2 bytes JMP 75bc87ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075921525 2 bytes JMP 75bc8b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007592153d 2 bytes JMP 75b3fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075921555 2 bytes JMP 75b468ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007592156d 2 bytes JMP 75bc9089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075921585 2 bytes JMP 75bc8bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007592159d 2 bytes JMP 75bc877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759215b5 2 bytes JMP 75b3fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759215cd 2 bytes JMP 75b4b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759216b2 2 bytes JMP 75bc8f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2216] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759216bd 2 bytes JMP 75bc8713 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075921401 2 bytes JMP 75b4b21b C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075921419 2 bytes JMP 75b4b346 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075921431 2 bytes JMP 75bc8fd1 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007592144a 2 bytes CALL 75b2489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759214dd 2 bytes JMP 75bc88c4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759214f5 2 bytes JMP 75bc8aa0 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007592150d 2 bytes JMP 75bc87ba C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075921525 2 bytes JMP 75bc8b8a C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007592153d 2 bytes JMP 75b3fca8 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075921555 2 bytes JMP 75b468ef C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007592156d 2 bytes JMP 75bc9089 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075921585 2 bytes JMP 75bc8bea C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007592159d 2 bytes JMP 75bc877e C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759215b5 2 bytes JMP 75b3fd41 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759215cd 2 bytes JMP 75b4b2dc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759216b2 2 bytes JMP 75bc8f4c C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[1504] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759216bd 2 bytes JMP 75bc8713 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075921401 2 bytes JMP 75b4b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075921419 2 bytes JMP 75b4b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075921431 2 bytes JMP 75bc8fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007592144a 2 bytes CALL 75b2489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759214dd 2 bytes JMP 75bc88c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759214f5 2 bytes JMP 75bc8aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007592150d 2 bytes JMP 75bc87ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075921525 2 bytes JMP 75bc8b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007592153d 2 bytes JMP 75b3fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075921555 2 bytes JMP 75b468ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007592156d 2 bytes JMP 75bc9089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075921585 2 bytes JMP 75bc8bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007592159d 2 bytes JMP 75bc877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759215b5 2 bytes JMP 75b3fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759215cd 2 bytes JMP 75b4b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759216b2 2 bytes JMP 75bc8f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3448] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759216bd 2 bytes JMP 75bc8713 C:\windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0f8dac89e69 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0f8dac89e69@708d092f560e 0x9B 0x68 0xF6 0x99 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0f8dac89e69 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0f8dac89e69@708d092f560e 0x9B 0x68 0xF6 0x99 ... ---- EOF - GMER 2.1 ----