GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-12-30 13:29:57 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b TOSHIBA_MQ01ABD100 rev.AX003M 931,51GB Running: m57g1hli.exe; Driver: C:\Users\CASTLE~1\AppData\Local\Temp\uwrcqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[1936] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff858b1169a 4 bytes [B1, 58, F8, 7F] .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[1936] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff858b116a2 4 bytes [B1, 58, F8, 7F] .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[1936] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff858b1181a 4 bytes [B1, 58, F8, 7F] .text C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe[1936] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff858b11832 4 bytes [B1, 58, F8, 7F] .text C:\WINDOWS\system32\svchost.exe[2156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[2164] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[2164] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff858b1169a 4 bytes [B1, 58, F8, 7F] .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[2164] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff858b116a2 4 bytes [B1, 58, F8, 7F] .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[2164] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff858b1181a 4 bytes [B1, 58, F8, 7F] .text C:\Program Files\Reimage\Reimage Protector\ReiSystem.exe[2164] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff858b11832 4 bytes [B1, 58, F8, 7F] .text C:\Windows\system32\TODDSrv.exe[2192] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\system32\conhost.exe[2300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\system32\taskeng.exe[2920] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\system32\taskhostex.exe[2928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\system32\taskeng.exe[3016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\Explorer.EXE[2896] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Windows\System32\skydrive.exe[3732] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files\TOSHIBA\Teco\TecoService.exe[3884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\system32\svchost.exe[3028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\system32\SearchIndexer.exe[1660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\System32\svchost.exe[4172] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Windows\System32\RuntimeBroker.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Windows\System32\igfxtray.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Windows\System32\hkcmd.exe[4768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Windows\System32\igfxpers.exe[4808] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Windows\System32\igfxpers.exe[4808] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff858b1169a 4 bytes [B1, 58, F8, 7F] .text C:\Windows\System32\igfxpers.exe[4808] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff858b116a2 4 bytes [B1, 58, F8, 7F] .text C:\Windows\System32\igfxpers.exe[4808] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff858b1181a 4 bytes [B1, 58, F8, 7F] .text C:\Windows\System32\igfxpers.exe[4808] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff858b11832 4 bytes [B1, 58, F8, 7F] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[4920] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files\TOSHIBA\Teco\TecoResident.exe[4948] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe[5080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\system32\wbem\unsecapp.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5780] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5780] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff84fce1f6a 4 bytes [CE, 4F, F8, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5780] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff84fce1f82 4 bytes [CE, 4F, F8, 7F] .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[5324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4672] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\System32\snmptrap.exe[1524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[5004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\WINDOWS\system32\taskhost.exe[3980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 .text C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe[5160] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff859311a10 5 bytes JMP 00007ff94e0b1000 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [664:3000] fffff960008f3b90 Thread C:\WINDOWS\system32\svchost.exe [1300:3420] 00007ff8446d4608 Thread C:\WINDOWS\system32\svchost.exe [1300:4116] 00007ff844671584 Thread C:\WINDOWS\system32\svchost.exe [1300:4168] 00007ff8445f1b40 Thread C:\WINDOWS\system32\svchost.exe [1300:1604] 00007ff8446d1040 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----