GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-25 13:06:11 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST500LM0 rev.0001 465,76GB Running: l77vs3ft.exe; Driver: C:\Users\x\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e61401 2 bytes JMP 7587b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e61419 2 bytes JMP 7587b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e61431 2 bytes JMP 758f9011 C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e6144a 2 bytes CALL 758548ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e614dd 2 bytes JMP 758f890a C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e614f5 2 bytes JMP 758f8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e6150d 2 bytes JMP 758f8800 C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e61525 2 bytes JMP 758f8bca C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e6153d 2 bytes JMP 7586fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e61555 2 bytes JMP 75876907 C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e6156d 2 bytes JMP 758f90c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e61585 2 bytes JMP 758f8c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e6159d 2 bytes JMP 758f87c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e615b5 2 bytes JMP 7586fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e615cd 2 bytes JMP 7587b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e616b2 2 bytes JMP 758f8f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e616bd 2 bytes JMP 758f8759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e61401 2 bytes JMP 7587b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e61419 2 bytes JMP 7587b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e61431 2 bytes JMP 758f9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e6144a 2 bytes CALL 758548ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e614dd 2 bytes JMP 758f890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e614f5 2 bytes JMP 758f8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e6150d 2 bytes JMP 758f8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e61525 2 bytes JMP 758f8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e6153d 2 bytes JMP 7586fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e61555 2 bytes JMP 75876907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e6156d 2 bytes JMP 758f90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e61585 2 bytes JMP 758f8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e6159d 2 bytes JMP 758f87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e615b5 2 bytes JMP 7586fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e615cd 2 bytes JMP 7587b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e616b2 2 bytes JMP 758f8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e616bd 2 bytes JMP 758f8759 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4028:3608] 0000000075317587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4028:3760] 000000006ecc8aa6 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4028:3844] 000000007798c557 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4028:3328] 00000000779a27c1 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4028:2520] 00000000779a27c1 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4028:2524] 00000000779a27c1 ---- EOF - GMER 2.2 ----