GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-05 13:51:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE3O 465,76GB Running: 5rz2glmf.exe; Driver: C:\Users\Jarek\AppData\Local\Temp\ugtyrpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff800037b9000 59 bytes [0E, 8B, 11, 48, 8B, 49, 08, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 508 fffff800037b903c 10 bytes [5E, 2C, 83, C9, FF, 89, 8B, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000765f1401 2 bytes JMP 74c2b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000765f1419 2 bytes JMP 74c2b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000765f1431 2 bytes JMP 74ca8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000765f144a 2 bytes CALL 74c048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765f14dd 2 bytes JMP 74ca87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765f14f5 2 bytes JMP 74ca8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000765f150d 2 bytes JMP 74ca8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000765f1525 2 bytes JMP 74ca8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000765f153d 2 bytes JMP 74c1fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000765f1555 2 bytes JMP 74c268ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000765f156d 2 bytes JMP 74ca8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000765f1585 2 bytes JMP 74ca8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000765f159d 2 bytes JMP 74ca865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765f15b5 2 bytes JMP 74c1fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765f15cd 2 bytes JMP 74c2b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765f16b2 2 bytes JMP 74ca8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765f16bd 2 bytes JMP 74ca85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000765f1401 2 bytes JMP 74c2b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000765f1419 2 bytes JMP 74c2b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000765f1431 2 bytes JMP 74ca8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000765f144a 2 bytes CALL 74c048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765f14dd 2 bytes JMP 74ca87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765f14f5 2 bytes JMP 74ca8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000765f150d 2 bytes JMP 74ca8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000765f1525 2 bytes JMP 74ca8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000765f153d 2 bytes JMP 74c1fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000765f1555 2 bytes JMP 74c268ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000765f156d 2 bytes JMP 74ca8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000765f1585 2 bytes JMP 74ca8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000765f159d 2 bytes JMP 74ca865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765f15b5 2 bytes JMP 74c1fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765f15cd 2 bytes JMP 74c2b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765f16b2 2 bytes JMP 74ca8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765f16bd 2 bytes JMP 74ca85f1 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [2764] entry point in ".rdata" section 00000000708d71e6 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4568:3304] 000007fefb2d2bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4568:2736] 000007fee893cf60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4568:2356] 000007fee88a1b54 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4568:2292] 000007fee893cf60 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 18463 ---- Files - GMER 2.1 ---- File C:\Users\Jarek\Desktop\~$test.docx 162 bytes File C:\Users\Jarek\Desktop\~WRD0002.tmp 9874 bytes ---- EOF - GMER 2.1 ----