GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-28 01:48:14 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005d WDC_WD50 rev.01.0 465,76GB Running: gmer.exe; Driver: C:\Users\SEBAST~1\AppData\Local\Temp\kglyakow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe0b45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe0b9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe0de0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\taskhost.exe[1472] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe0de450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Windows\system32\Dwm.exe[1632] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe0b45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\Dwm.exe[1632] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe0b9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\Dwm.exe[1632] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe0de0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\Dwm.exe[1632] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe0de450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefe0b45c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\ws2_32.dll!getsockname 000007fefe0b9480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefe0de0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\Explorer.EXE[1704] C:\Windows\system32\ws2_32.dll!getpeername 000007fefe0de450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\OSCAR Editor X7\OscarEditor.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\OSCAR Editor X7\OscarEditor.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Program Files (x86)\DesktopNerds\Gamma Control\GC.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\DesktopNerds\Gamma Control\GC.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Program Files (x86)\DesktopNerds\Gamma Control\GC.exe[2096] C:\Windows\syswow64\ws2_32.DLL!ioctlsocket + 38 0000000076da30aa 7 bytes JMP 0000000004220095 .text C:\Program Files (x86)\DesktopNerds\Gamma Control\GC.exe[2096] C:\Windows\syswow64\ws2_32.DLL!recv + 202 0000000076da6bd8 7 bytes JMP 000000000422002d .text C:\Program Files (x86)\DesktopNerds\Gamma Control\GC.exe[2096] C:\Windows\syswow64\ws2_32.DLL!WSARecv + 185 0000000076da7142 7 bytes JMP 00000000042200c9 .text C:\Program Files (x86)\DesktopNerds\Gamma Control\GC.exe[2096] C:\Windows\syswow64\ws2_32.DLL!WSARecvFrom + 148 0000000076dacc3a 7 bytes JMP 0000000004220061 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe[2584] C:\Windows\syswow64\WS2_32.dll!ioctlsocket + 38 0000000076da30aa 7 bytes JMP 0000000000830095 .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe[2584] C:\Windows\syswow64\WS2_32.dll!recv + 202 0000000076da6bd8 7 bytes JMP 000000000083002d .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe[2584] C:\Windows\syswow64\WS2_32.dll!WSARecv + 185 0000000076da7142 7 bytes JMP 00000000008300c9 .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe[2584] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom + 148 0000000076dacc3a 7 bytes JMP 0000000000830061 .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 ---- EOF - GMER 2.2 ----