GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-04 15:21:21 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 Hitachi_HTS545050A7E380 rev.GG2OA6C0 465,76GB Running: krelf1du.exe; Driver: C:\Users\SAWEK~1\AppData\Local\Temp\ufldipod.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\WLANExt.exe[1344] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc6685169a 4 bytes [85, 66, FC, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1344] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc668516a2 4 bytes [85, 66, FC, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1344] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc6685181a 4 bytes [85, 66, FC, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1344] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc66851832 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1824] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc6685169a 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1824] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc668516a2 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1824] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc6685181a 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1824] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc66851832 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1424] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc6685169a 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1424] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc668516a2 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1424] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc6685181a 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1424] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc66851832 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2080] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc6685169a 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2080] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc668516a2 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2080] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc6685181a 4 bytes [85, 66, FC, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2080] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc66851832 4 bytes [85, 66, FC, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2640] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc6685169a 4 bytes [85, 66, FC, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2640] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc668516a2 4 bytes [85, 66, FC, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2640] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc6685181a 4 bytes [85, 66, FC, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2640] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc66851832 4 bytes [85, 66, FC, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2956] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc6685169a 4 bytes [85, 66, FC, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2956] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc668516a2 4 bytes [85, 66, FC, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2956] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc6685181a 4 bytes [85, 66, FC, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2956] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc66851832 4 bytes [85, 66, FC, 7F] .text + 194 00007ffc5d4e1f6a 4 bytes [4E, 5D, FC, 7F] .text + 218 00007ffc5d4e1f82 4 bytes [4E, 5D, FC, 7F] .text + 506 00007ffc6685169a 4 bytes [85, 66, FC, 7F] .text + 514 00007ffc668516a2 4 bytes [85, 66, FC, 7F] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[msvcrt.dll!_initterm] [72007400530001] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[msvcrt.dll!malloc] [460067006e0069] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[msvcrt.dll!free] [490065006c0069] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[msvcrt.dll!memmove] [6f0066006e] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[msvcrt.dll!_amsg_exit] [30003900300034] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[msvcrt.dll!_XcptFilter] [3000420034] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[msvcrt.dll!wcsncmp] [4300010016004c] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[msvcrt.dll!memcpy] [610070006d006f] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[msvcrt.dll!memset] [61004e0079006e] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!RtlVirtualUnwind] [7200630069004d] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!RtlLookupFunctionEntry] [66006f0073006f] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!RtlCaptureContext] [6f004300200074] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!RtlQueryHeapInformation] [72006f00700072] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!RtlInt64ToUnicodeString] [6f006900740061] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtQueryObject] [2500720000006e] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtOpenDirectoryObject] [6c006900460001] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtQueryDirectoryObject] [73006500440065] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtOpenJobObject] [70006900720063] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtOpenProcess] [6e006f00690074] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!RtlCopyUnicodeString] [69005700000000] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtQueryVirtualMemory] [77006f0064006e] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtReadVirtualMemory] [69004400200073] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtQueryInformationProcess] [500020006b0073] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtQueryValueKey] [6f006600720065] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!RtlNtStatusToDosError] [6e0061006d0072] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!RtlAppendUnicodeToString] [4f002000650063] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!RtlInitUnicodeString] [630065006a0062] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtQuerySystemInformation] [44002000730074] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtOpenKey] [4c004c] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtGetContextThread] [46000100290072] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtClose] [560065006c0069] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!NtOpenThread] [69007300720065] IAT C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe[1856] @ C:\WINDOWS\System32\perfproc.dll[ntdll.dll!RtlIntegerToUnicodeString] [6e006f] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [744:2612] fffff9600088db90 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Mobile Partner\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1188](2013-11-10 16:47:00) 000000006fbc0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1188](2013-11-10 16:47:00) 000000006e940000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1188](2013-11-10 16:47:00) 000000006a1c0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1188](2013-11-10 16:47:00) 000000006ff00000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1188](2013-11-10 16:47:00) 000000006efc0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1188](2013-11-10 16:47:00) 000000006ed40000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1668] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1668](2014-02-01 17:15:39) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1668](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1668](2014-02-01 17:15:39) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1668](2014-02-01 17:15:40) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1668](201 000000006ed40000 Process C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe (*** suspicious ***) @ C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe [2332] (SW Update Agent/Samsung Electronics CO., LTD.)(2013-10-21 20:07:30) 00000000003c0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----