GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-20 19:45:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 465,76GB Running: gmer.exe; Driver: C:\Users\Iza\AppData\Local\Temp\uxriipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[2120] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074d787c9 5 bytes JMP 0000000172621170 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fe1465 2 bytes [FE, 74] .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[2120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fe14bb 2 bytes [FE, 74] .text ... * 2 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2452] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074d787c9 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fe1465 2 bytes [FE, 74] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fe14bb 2 bytes [FE, 74] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fe1465 2 bytes [FE, 74] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fe14bb 2 bytes [FE, 74] .text ... * 2 .text C:\Windows\system32\taskhost.exe[2164] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\taskhost.exe[2164] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\taskhost.exe[2164] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\taskhost.exe[2164] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\system32\Dwm.exe[2864] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\Dwm.exe[2864] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\Dwm.exe[2864] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\Dwm.exe[2864] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\Explorer.EXE[1660] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\Explorer.EXE[1660] C:\Windows\system32\WS2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\Explorer.EXE[1660] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\Explorer.EXE[1660] C:\Windows\system32\WS2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\system32\taskeng.exe[3160] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\taskeng.exe[3160] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\taskeng.exe[3160] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\taskeng.exe[3160] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\AsScrPro.exe[3192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fe1465 2 bytes [FE, 74] .text C:\Windows\AsScrPro.exe[3192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fe14bb 2 bytes [FE, 74] .text ... * 2 .text C:\Windows\System32\igfxtray.exe[4600] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\igfxtray.exe[4600] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\igfxtray.exe[4600] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\igfxtray.exe[4600] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\System32\hkcmd.exe[3204] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\hkcmd.exe[3204] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\hkcmd.exe[3204] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\hkcmd.exe[3204] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\System32\igfxpers.exe[4680] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\igfxpers.exe[4680] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\igfxpers.exe[4680] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\igfxpers.exe[4680] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3456] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3456] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3456] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3456] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3048] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3048] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3048] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3048] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2252] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2252] C:\Windows\system32\WS2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2252] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2252] C:\Windows\system32\WS2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2392] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2392] C:\Windows\system32\WS2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2392] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2392] C:\Windows\system32\WS2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4808] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4808] C:\Windows\system32\WS2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4808] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4808] C:\Windows\system32\WS2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1792] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1792] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1792] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1792] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\CyberLink\PowerDVD13\PowerDVD13Agent.exe[3004] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074d787c9 5 bytes JMP 0000000172621170 .text C:\Program Files (x86)\CyberLink\PowerDVD13\PowerDVD13Agent.exe[3004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074fe1465 2 bytes [FE, 74] .text C:\Program Files (x86)\CyberLink\PowerDVD13\PowerDVD13Agent.exe[3004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074fe14bb 2 bytes [FE, 74] .text ... * 2 .text C:\Program Files (x86)\CyberLink\PowerDVD13\PowerDVD13Agent.exe[3004] C:\Windows\syswow64\WS2_32.dll!ioctlsocket + 38 0000000075a630aa 7 bytes JMP 0000000107490095 .text C:\Program Files (x86)\CyberLink\PowerDVD13\PowerDVD13Agent.exe[3004] C:\Windows\syswow64\WS2_32.dll!recv + 202 0000000075a66bd8 7 bytes JMP 000000010749002d .text C:\Program Files (x86)\CyberLink\PowerDVD13\PowerDVD13Agent.exe[3004] C:\Windows\syswow64\WS2_32.dll!WSARecv + 185 0000000075a67142 7 bytes JMP 00000001074900c9 .text C:\Program Files (x86)\CyberLink\PowerDVD13\PowerDVD13Agent.exe[3004] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom + 148 0000000075a6cc3a 7 bytes JMP 0000000107490061 ? C:\Windows\system32\mssprxy.dll [3004] entry point in ".rdata" section 00000000732871e6 .text F:\Nowy folder\OTL_2.exe[6060] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000074fe1465 2 bytes [FE, 74] .text F:\Nowy folder\OTL_2.exe[6060] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000074fe14bb 2 bytes [FE, 74] .text ... * 2 .text C:\Windows\system32\wuauclt.exe[1796] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdc645c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\wuauclt.exe[1796] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdc69480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\wuauclt.exe[1796] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdc8e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\wuauclt.exe[1796] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdc8e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F2046363-D9E8-4330-891E-A7DD03BAE7DE}\offreg.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [2888](2014-05-20 15:13:56) 000007fefa550000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f683b95f3 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f683b95f3 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000C4.log 1310720 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000C5.log 0 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000C6.log 0 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000C7.log 0 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000C8.log 0 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000C9.log 0 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000CA.log 0 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000CB.log 0 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000CC.log 0 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000CD.log 0 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000CE.log 0 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb000CF.log 0 bytes File C:\Windows\System32\catroot2\edb02950.log 65536 bytes ---- EOF - GMER 2.1 ----