GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-02 15:37:08 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: 7l4rbcb2.exe; Driver: C:\Users\WIECZO~1\AppData\Local\Temp\pxdoqfog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800039f1000 34 bytes [00, 00, 08, 04, 4D, 46, 45, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 563 fffff800039f1023 10 bytes [00, 52, 00, 44, 00, 44, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\IePluginService\PluginService.exe[1204] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\ProgramData\IePluginService\PluginService.exe[1204] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\windows\system32\taskhost.exe[2092] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda58ef0 5 bytes JMP 000007fffda400b8 .text C:\windows\system32\taskhost.exe[2092] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefda5bfd0 5 bytes JMP 000007fffda40038 .text C:\windows\system32\taskhost.exe[2092] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe997490 5 bytes JMP 000007fffda40138 .text C:\windows\system32\taskhost.exe[2092] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa46a38c 5 bytes JMP 000007fefda402b8 .text C:\windows\system32\taskhost.exe[2092] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa484b60 5 bytes JMP 000007fefda40238 .text C:\windows\system32\taskhost.exe[2092] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa484ba0 5 bytes JMP 000007fefda401b8 .text C:\windows\system32\Dwm.exe[2180] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda58ef0 5 bytes JMP 000007fffda300b8 .text C:\windows\system32\Dwm.exe[2180] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefda5bfd0 5 bytes JMP 000007fffda30038 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[3300] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda58ef0 5 bytes JMP 000007fffda300b8 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[3300] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefda5bfd0 5 bytes JMP 000007fffda30038 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[3300] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe997490 5 bytes JMP 000007fffda30138 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3380] C:\windows\system32\kernel32.dll!LoadLibraryW 00000000779d6440 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3380] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda58ef0 5 bytes JMP 000007fffda400b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3380] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefda5bfd0 5 bytes JMP 000007fffda40038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3380] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa46a38c 5 bytes JMP 000007fefda402b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3380] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa484b60 5 bytes JMP 000007fefda40238 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3380] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa484ba0 5 bytes JMP 000007fefda401b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3380] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe997490 5 bytes JMP 000007fffda40138 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3416] C:\windows\system32\kernel32.dll!LoadLibraryW 00000000779d6440 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3416] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda58ef0 5 bytes JMP 000007fffda400b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3416] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefda5bfd0 5 bytes JMP 000007fffda40038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3416] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa46a38c 5 bytes JMP 000007fefda402b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3416] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa484b60 5 bytes JMP 000007fefda40238 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3416] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa484ba0 5 bytes JMP 000007fefda401b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[3416] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe997490 5 bytes JMP 000007fffda40138 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3452] C:\windows\system32\kernel32.dll!LoadLibraryW 00000000779d6440 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3452] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda58ef0 5 bytes JMP 000007fffda400b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[3452] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefda5bfd0 5 bytes JMP 000007fffda40038 .text C:\Windows\WindowsMobile\wmdc.exe[3540] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda58ef0 5 bytes JMP 000007fffda400b8 .text C:\Windows\WindowsMobile\wmdc.exe[3540] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefda5bfd0 5 bytes JMP 000007fffda40038 .text C:\Windows\WindowsMobile\wmdc.exe[3540] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe997490 5 bytes JMP 000007fffda40138 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3632] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExA 0000000076b248db 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3632] C:\windows\syswow64\KERNEL32.dll!LoadLibraryW 0000000076b248f3 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3632] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExW 0000000076b24925 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3632] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000077569d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[3640] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 0000000076b248db 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[3640] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076b248f3 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[3640] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076b24925 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[3640] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000077569d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3820] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 0000000076b248db 5 bytes JMP 00000001002a27c0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3820] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076b248f3 5 bytes JMP 00000001002a28a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3820] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076b24925 5 bytes JMP 00000001002a2830 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3820] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3820] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3820] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000077569d0b 5 bytes JMP 00000001002a2900 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3876] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 0000000076b248db 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3876] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076b248f3 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3876] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076b24925 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3876] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000077569d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3896] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 0000000076b248db 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3896] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076b248f3 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3896] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076b24925 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3896] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000077569d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3932] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 0000000076b248db 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3932] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076b248f3 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3932] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076b24925 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3932] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000077569d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3968] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3968] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text c:\PROGRA~2\mcafee\SITEAD~1\saui.exe[1716] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 0000000076b248db 5 bytes JMP 00000001100027c0 .text c:\PROGRA~2\mcafee\SITEAD~1\saui.exe[1716] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076b248f3 5 bytes JMP 00000001100028a0 .text c:\PROGRA~2\mcafee\SITEAD~1\saui.exe[1716] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076b24925 5 bytes JMP 0000000110002830 .text c:\PROGRA~2\mcafee\SITEAD~1\saui.exe[1716] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text c:\PROGRA~2\mcafee\SITEAD~1\saui.exe[1716] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text c:\PROGRA~2\mcafee\SITEAD~1\saui.exe[1716] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000077569d0b 5 bytes JMP 0000000110002900 .text C:\Program Files\McAfee\MAT\McPvTray.exe[848] C:\windows\system32\kernel32.dll!LoadLibraryW 00000000779d6440 5 bytes JMP 0000000169ff0038 .text C:\Program Files\McAfee\MAT\McPvTray.exe[848] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda58ef0 5 bytes JMP 000007fffda400b8 .text C:\Program Files\McAfee\MAT\McPvTray.exe[848] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefda5bfd0 5 bytes JMP 000007fffda40038 .text C:\Program Files\McAfee\MAT\McPvTray.exe[848] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe997490 5 bytes JMP 000007fffda40138 .text C:\Program Files\McAfee\MAT\McPvTray.exe[848] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa46a38c 5 bytes JMP 000007fefda402b8 .text C:\Program Files\McAfee\MAT\McPvTray.exe[848] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa484b60 5 bytes JMP 000007fefda40238 .text C:\Program Files\McAfee\MAT\McPvTray.exe[848] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa484ba0 5 bytes JMP 000007fefda401b8 .text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[3812] C:\windows\system32\kernel32.dll!LoadLibraryW 00000000779d6440 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[3812] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefda58ef0 5 bytes JMP 000007fffda300b8 .text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[3812] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefda5bfd0 5 bytes JMP 000007fffda30038 .text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[3812] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe997490 5 bytes JMP 000007fffda30138 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\mfevtps.exe[1944] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13f52bbb0] C:\windows\system32\mfevtps.exe ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbe9bb41 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbe9bb41@a8e0183a72d2 0x09 0x43 0xC5 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbe9bb41@fca13eb6c1f6 0xD9 0x49 0xD6 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbe9bb41@5cb524ce58b1 0x09 0xBC 0xBD 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbe9bb41@303926ca24b9 0x83 0xC6 0xE1 0x33 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbe9bb41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbe9bb41@a8e0183a72d2 0x09 0x43 0xC5 0x9F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbe9bb41@fca13eb6c1f6 0xD9 0x49 0xD6 0x55 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbe9bb41@5cb524ce58b1 0x09 0xBC 0xBD 0xA3 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbe9bb41@303926ca24b9 0x83 0xC6 0xE1 0x33 ... ---- EOF - GMER 2.1 ----