GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-14 20:45:17 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\00000039 PLEXTOR_PX-128M5M rev.1.05 119,24GB Running: x9gmq1zl.exe; Driver: C:\Users\bonczo1\AppData\Local\Temp\uxldqpog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600009a600 15 bytes [00, F8, 09, 02, 80, 32, 72, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff9600009a610 11 bytes [00, BC, FB, FF, 00, 77, B2, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe[1928] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd5ca4169a 4 bytes [A4, 5C, FD, 7F] .text C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe[1928] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd5ca416a2 4 bytes [A4, 5C, FD, 7F] .text C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe[1928] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd5ca4181a 4 bytes [A4, 5C, FD, 7F] .text C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe[1928] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd5ca41832 4 bytes [A4, 5C, FD, 7F] .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffd5ca528c0 7 bytes JMP 00007ffe5a6802d0 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNEL32.DLL!RegQueryValueExW 00007ffd5ca543d8 7 bytes JMP 00007ffe5a680308 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA 00007ffd5cb01f20 7 bytes JMP 00007ffe5a680378 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNEL32.DLL!RegSetValueExW 00007ffd5cb040b4 7 bytes JMP 00007ffe5a6803b0 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNEL32.DLL!RegDeleteValueW 00007ffd5cb04510 7 bytes JMP 00007ffe5a680340 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffd5cb04af0 7 bytes JMP 00007ffe5a680260 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffd5cb2cea0 7 bytes JMP 00007ffe5a680228 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffd5cb2cf10 7 bytes JMP 00007ffe5a680298 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 00007ffd5a6e2300 7 bytes JMP 00007ffe5a6800d8 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 00007ffd5a6e5770 5 bytes JMP 00007ffe5a680180 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 00007ffd5a6e5860 5 bytes JMP 00007ffe5a680148 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffd5a6e5a30 5 bytes JMP 00007ffe5a680110 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\USER32.dll!CreateWindowExW 00007ffd5cc4b6f4 10 bytes JMP 00007ffe5a680490 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW 00007ffd5cc545d8 5 bytes JMP 00007ffe5a680458 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffd5cc54750 9 bytes JMP 00007ffe5a6803e8 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 00007ffd5cc64fc0 5 bytes JMP 00007ffe5a680420 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffd5c151500 8 bytes JMP 00007ffe5a6801b8 .text C:\Windows\System32\dwm.exe[6424] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffd5c151750 8 bytes JMP 00007ffe5a6801f0 .text C:\Windows\system32\nvvsvc.exe[5552] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd5ca4169a 4 bytes [A4, 5C, FD, 7F] .text C:\Windows\system32\nvvsvc.exe[5552] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd5ca416a2 4 bytes [A4, 5C, FD, 7F] .text C:\Windows\system32\nvvsvc.exe[5552] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd5ca4181a 4 bytes [A4, 5C, FD, 7F] .text C:\Windows\system32\nvvsvc.exe[5552] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd5ca41832 4 bytes [A4, 5C, FD, 7F] .text C:\Windows\Explorer.EXE[4520] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffd54141f6a 4 bytes [14, 54, FD, 7F] .text C:\Windows\Explorer.EXE[4520] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffd54141f82 4 bytes [14, 54, FD, 7F] .text F:\Teamspeak\ts3client_win64.exe[4764] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd5ca4169a 4 bytes [A4, 5C, FD, 7F] .text F:\Teamspeak\ts3client_win64.exe[4764] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd5ca416a2 4 bytes [A4, 5C, FD, 7F] .text F:\Teamspeak\ts3client_win64.exe[4764] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd5ca4181a 4 bytes [A4, 5C, FD, 7F] .text F:\Teamspeak\ts3client_win64.exe[4764] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd5ca41832 4 bytes [A4, 5C, FD, 7F] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [1888:6376] fffff96000809b90 Thread C:\Windows\Explorer.EXE [4520:5784] 00007ffd50a9d6bc Thread C:\Windows\Explorer.EXE [4520:3476] 00007ffd50a9d6bc ---- Processes - GMER 2.1 ---- Library C:\Program Files\WindowsApps\Microsoft.SkypeApp_3.1.0.1005_x86__kzf8qxf38zg5c\Microsoft.PerfTrack.dll (*** suspicious ***) @ C:\Windows\syswow64\wwahost.exe [6136] (Microsoft.PerfTrack.dll/Microsoft Corporation)(2014-05-17 21:04:24) 0000000060460000 Library C:\Program Files\WindowsApps\Microsoft.SkypeApp_3.1.0.1005_x86__kzf8qxf38zg5c\LibWrap.dll (*** suspicious ***) @ C:\Windows\syswow64\wwahost.exe [6136] (Microsoft Skype/Microsoft Corporation)(2014-08-13 13:09:59) 0000000057230000 Library C:\Users\bonczo1\AppData\Local\Temp\~E9E5.tmp (*** suspicious ***) @ C:\Program Files (x86)\Steam\Steam.exe [5900](2014-08-14 16:03:57) 0000000010000000 ---- Services - GMER 2.1 ---- Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden *** ) [AUTO] WinDefend <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1719530128 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\240a649cf6b2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\54271e5db5d5 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\54271e5db5d5@3039263abb64 0x15 0x07 0x7E 0x2A ... Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\Users\bonczo1\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppHang_microsoft.window_ebfd4e9c01dd3587ed5fd633abdd0ece52f92ae_0906c525_116cf153 ---- Files - GMER 2.1 ---- File C:\Program Files (x86)\Steam\appcache\httpcache\5b\5b01adffebf5569273c4d25e0377520ea8f0c723_da39a3ee5e6b4b0d3255bfef95601890afd80709 1987 bytes File C:\Program Files (x86)\Steam\appcache\httpcache\d9\d906f575e92daf0994ab2773d1479718dde7ae7f_da39a3ee5e6b4b0d3255bfef95601890afd80709 0 bytes ---- EOF - GMER 2.1 ----