GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-02 12:21:54 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 WDC_WD1200JS-00MHB0 rev.02.01C03 111,79GB Running: qd1y4yyr.exe; Driver: C:\Users\Lambert\AppData\Local\Temp\ufryapog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c61465 2 bytes [C6, 75] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeSvc2.exe[328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c614bb 2 bytes [C6, 75] .text ... * 2 .text C:\Windows\Explorer.EXE[1964] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007734e7b0 5 bytes JMP 0000000077320fd3 .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c61465 2 bytes [C6, 75] .text C:\Program Files (x86)\Elex-tech\YAC\iSafeTray.exe[2088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c614bb 2 bytes [C6, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076501bb2 5 bytes JMP 00000000009e8c60 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\kernel32.dll!CreateFileW 0000000076143f5c 13 bytes JMP 0000000063fb1300 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076558e4e 5 bytes JMP 0000000063fb1150 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076560dfb 5 bytes JMP 0000000063fb0f90 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\USER32.dll!SetFocus 0000000076562175 5 bytes JMP 0000000063fb1080 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\USER32.dll!SetActiveWindow 0000000076563208 5 bytes JMP 0000000063fb1230 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000076567b3b 13 bytes JMP 0000000063fb0d00 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007657f170 13 bytes JMP 0000000063fb0c30 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow 00000000765990fc 13 bytes JMP 0000000063fb0dd0 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\USER32.dll!ShowWindowAsync 00000000765b7d97 5 bytes JMP 0000000063fb0ea0 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\ole32.dll!DoDragDrop 000000007580a827 13 bytes JMP 0000000063fb0b60 .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c61465 2 bytes [C6, 75] .text D:\Program Files (x86)\Origin\Origin.exe[2588] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c614bb 2 bytes [C6, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c61465 2 bytes [C6, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c614bb 2 bytes [C6, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2684] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000071351a22 2 bytes [35, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2684] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000071351ad0 2 bytes [35, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2684] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000071351b08 2 bytes [35, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2684] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000071351bba 2 bytes [35, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2684] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000071351bda 2 bytes [35, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c61465 2 bytes [C6, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c614bb 2 bytes [C6, 75] .text ... * 2 .text D:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c61465 2 bytes [C6, 75] .text D:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c614bb 2 bytes [C6, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c61465 2 bytes [C6, 75] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c614bb 2 bytes [C6, 75] .text ... * 2 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE[USER32.dll!MoveWindow] [7fef7c61a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE[USER32.dll!DeferWindowPos] [7fef7c61da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE[USER32.dll!EndPaint] [7fef7c61f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\Explorer.EXE[USER32.dll!SetWindowPos] [7fef7c61bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!MoveWindow] [7fef7c61a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowPos] [7fef7c61bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!DeferWindowPos] [7fef7c61da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SHELL32.dll[USER32.dll!EndPaint] [7fef7c61f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\ole32.dll[USER32.dll!MoveWindow] [7fef7c61a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!EndPaint] [7fef7c61f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!MoveWindow] [7fef7c61a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!SetWindowPos] [7fef7c61bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\DUser.dll[USER32.dll!EndPaint] [7fef7c61f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\DUI70.dll[USER32.dll!SetWindowPos] [7fef7c61bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\IMM32.dll[USER32.dll!EndPaint] [7fef7c61f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\IMM32.dll[USER32.dll!SetWindowPos] [7fef7c61bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\MSCTF.dll[USER32.dll!MoveWindow] [7fef7c61a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\MSCTF.dll[USER32.dll!EndPaint] [7fef7c61f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWindowPos] [7fef7c61bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowPos] [7fef7c61bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!MoveWindow] [7fef7c61a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!SetWindowPos] [7fef7c61bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!DeferWindowPos] [7fef7c61da0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!SetWindowPos] [7fef7c61bf0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!MoveWindow] [7fef7c61a60] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\Windows\Explorer.EXE[1964] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll[USER32.dll!EndPaint] [7fef7c61f40] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [1080:2280] 00000000012213a4 Thread C:\Windows\system32\svchost.exe [1080:2284] 00000000012213a4 Thread C:\Windows\system32\svchost.exe [1080:2288] 00000000012213a4 Thread C:\Windows\system32\svchost.exe [1080:2624] 00000000012173fc Thread C:\Windows\system32\svchost.exe [1080:2628] 00000000012173fc Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4016:1416] 000007fefbb62ab8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?"???n??????????????????????????1????????????????&P?????????????????????????????SysClass.Dll,CriticalDeviceCoInstaller??????????????????????????? ??????????????????????????????T?7?&???????????????????????LegacyDriver??????T???????????c???????????????P?????????????????????????????????@%SystemRoot%\System32\SysClass.Dll,-3003???Non-Plug and Play Drivers?Class.Dll,-3003???? ?????????????????????0???????????? ???????????%SystemRoot%\System32\setupapi.dll,-19????????,?????????????1???????????????????1?????????????????,?????????????? ??1???????????l?????T??????????????2??SysClass.Dll,LegacyDriverPropPageProvider???????????????????????? ??????????????????????????????P???&???????????????????????Media Center Extender?????P???????????c?????@%SystemRoot%\system32\McxDriv.dll,-100?????Media Center Extender?\McxDriv.dll,-100?????? ?????????????????????0???????????? ?????????????????????0????????????2????McxDriv.dll,Mcx2Install?????MEDIA?????????P?????????????%systemroot%\system32\McxDriv.dll,-101??????? ??1???????????l?? ---- EOF - GMER 2.2 ----