GMER 2.1.19355 - http://www.gmer.net Rootkit scan 2014-01-26 00:21:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: orehmh37.exe; Driver: C:\Users\Pawel\AppData\Local\Temp\pwddrkog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002deb000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002deb02f 16 bytes [00, 20, 31, 57, 04, 80, FA, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076411465 2 bytes [41, 76] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764114bb 2 bytes [41, 76] .text ... * 2 .text C:\Users\Pawel\AppData\Local\fst_pl_30\upfst_pl_30.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076411465 2 bytes [41, 76] .text C:\Users\Pawel\AppData\Local\fst_pl_30\upfst_pl_30.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764114bb 2 bytes [41, 76] .text ... * 2 .text C:\Windows\AsScrPro.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076411465 2 bytes [41, 76] .text C:\Windows\AsScrPro.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764114bb 2 bytes [41, 76] .text ... * 2 .text C:\Program Files (x86)\syncables\syncables desktop\syncables.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076411465 2 bytes [41, 76] .text C:\Program Files (x86)\syncables\syncables desktop\syncables.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764114bb 2 bytes [41, 76] .text ... * 2 .text C:\Program Files (x86)\syncables\syncables desktop\jre\bin\javaw.exe[252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076411465 2 bytes [41, 76] .text C:\Program Files (x86)\syncables\syncables desktop\jre\bin\javaw.exe[252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764114bb 2 bytes [41, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076411465 2 bytes [41, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764114bb 2 bytes [41, 76] .text ... * 2 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[4588] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000076411465 2 bytes [41, 76] .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[4588] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000764114bb 2 bytes [41, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076411465 2 bytes [41, 76] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764114bb 2 bytes [41, 76] .text ... * 2 .text C:\Users\Pawel\AppData\Local\Temp\GPUTemp.exe[1688] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007733000c 1 byte [C3] .text C:\Users\Pawel\AppData\Local\Temp\GPUTemp.exe[1688] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 00000000773bf8ea 5 bytes JMP 000000017736d5c1 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076411465 2 bytes [41, 76] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764114bb 2 bytes [41, 76] .text ... * 2 .text C:\Users\Pawel\Desktop\fixit\OTL.exe[3524] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076411465 2 bytes [41, 76] .text C:\Users\Pawel\Desktop\fixit\OTL.exe[3524] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000764114bb 2 bytes [41, 76] .text ... * 2 ---- Processes - GMER 2.1 ---- Process C:\Users\Pawel\AppData\Local\fst_pl_30\upfst_pl_30.exe (*** suspicious ***) @ C:\Users\Pawel\AppData\Local\fst_pl_30\upfst_pl_30.exe [3552] 0000000000fe0000 Library C:\Users\Pawel\AppData\Roaming\newnext.me\nengine.dll (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [3968] 00000000748a0000 Process C:\Users\Pawel\AppData\Local\Temp\GPUTemp.exe (*** suspicious ***) @ C:\Users\Pawel\AppData\Local\Temp\GPUTemp.exe [1688](2014-01-08 19:42: 0000000000400000 Library C:\Users\Pawel\AppData\Local\Temp\OpenCL.dll (*** suspicious ***) @ C:\Users\Pawel\AppData\Local\Temp\GPUTemp.exe [1688] 0000000010000000 ---- EOF - GMER 2.1 ----