GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-13 17:46:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000071 ST310005 rev.JC4A 931,51GB Running: 0nc77ilw.exe; Driver: C:\Users\UYTKOW~1\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764d1465 2 bytes [4D, 76] .text C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe[2260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764d14bb 2 bytes [4D, 76] .text ... * 2 .text C:\Program Files (x86)\G DATA\TotalProtection\Firewall\GDFirewallTray.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764d1465 2 bytes [4D, 76] .text C:\Program Files (x86)\G DATA\TotalProtection\Firewall\GDFirewallTray.exe[5952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764d14bb 2 bytes [4D, 76] .text ... * 2 .text E:\Steam\Steam.exe[6648] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007634103d 5 bytes JMP 000000006bb21eb0 .text E:\Steam\Steam.exe[6648] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076341072 5 bytes JMP 000000006bb21da0 .text E:\Steam\Steam.exe[6648] C:\Windows\SysWOW64\detoured.dll!Detoured + 3 000000006e171003 2 bytes [17, 6E] .text E:\Steam\Steam.exe[6648] C:\Windows\SysWOW64\detoured.dll!Detoured + 22 000000006e171016 2 bytes [17, 6E] .text E:\Steam\Steam.exe[6648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764d1465 2 bytes [4D, 76] .text E:\Steam\Steam.exe[6648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764d14bb 2 bytes [4D, 76] .text ... * 2 .text E:\Steam\bin\steamwebhelper.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764d1465 2 bytes [4D, 76] .text E:\Steam\bin\steamwebhelper.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764d14bb 2 bytes [4D, 76] .text ... * 2 .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000774df9a1 7 bytes {MOV EDX, 0x91fae8; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 00000000774dfa1d 7 bytes {MOV EDX, 0x91f9a8; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 00000000774dfb35 7 bytes {MOV EDX, 0x91f968; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000774dfbe5 7 bytes {MOV EDX, 0x91fb28; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000774dfc15 7 bytes {MOV EDX, 0x91fa68; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000774dfc2d 7 bytes {MOV EDX, 0x91f928; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000774dfc45 7 bytes {MOV EDX, 0x91fbe8; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000774dfc75 7 bytes {MOV EDX, 0x91fc28; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000774dfcf5 7 bytes {MOV EDX, 0x91fba8; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000774dfd0d 7 bytes {MOV EDX, 0x91fb68; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000774dfd59 7 bytes {MOV EDX, 0x91f868; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000774dfe51 7 bytes {MOV EDX, 0x91f8a8; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000774e00a9 7 bytes {MOV EDX, 0x91f828; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 00000000774e100d 7 bytes {MOV EDX, 0x91f9e8; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000774e10b5 7 bytes {MOV EDX, 0x91faa8; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000774e112d 7 bytes {MOV EDX, 0x91fa28; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000774e1331 7 bytes {MOV EDX, 0x91f8e8; JMP RDX} .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764d1465 2 bytes [4D, 76] .text E:\Steam\bin\steamwebhelper.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764d14bb 2 bytes [4D, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef3f2741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef3f25f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef3f25674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef3f25e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef3f27f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef3f26a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef3f26ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef3f27b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef3f27ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef3f278b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef3f24fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef3f25d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2416] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef3f27584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- EOF - GMER 2.2 ----