GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-11 15:03:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298,09GB Running: igb1mpzp.exe; Driver: C:\Users\Rafal_W\AppData\Local\Temp\uwloipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1792] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007765faa8 5 bytes JMP 00000001736c19b0 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1792] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077660038 5 bytes JMP 00000001736c2066 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076af1401 2 bytes JMP 7716b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076af1419 2 bytes JMP 7716b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076af1431 2 bytes JMP 771e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076af144a 2 bytes CALL 771448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076af14dd 2 bytes JMP 771e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076af14f5 2 bytes JMP 771e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076af150d 2 bytes JMP 771e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076af1525 2 bytes JMP 771e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076af153d 2 bytes JMP 7715fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076af1555 2 bytes JMP 771668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076af156d 2 bytes JMP 771e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076af1585 2 bytes JMP 771e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076af159d 2 bytes JMP 771e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076af15b5 2 bytes JMP 7715fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076af15cd 2 bytes JMP 7716b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076af16b2 2 bytes JMP 771e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076af16bd 2 bytes JMP 771e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076af1401 2 bytes JMP 7716b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076af1419 2 bytes JMP 7716b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076af1431 2 bytes JMP 771e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076af144a 2 bytes CALL 771448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076af14dd 2 bytes JMP 771e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076af14f5 2 bytes JMP 771e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076af150d 2 bytes JMP 771e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076af1525 2 bytes JMP 771e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076af153d 2 bytes JMP 7715fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076af1555 2 bytes JMP 771668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076af156d 2 bytes JMP 771e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076af1585 2 bytes JMP 771e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076af159d 2 bytes JMP 771e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076af15b5 2 bytes JMP 7715fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076af15cd 2 bytes JMP 7716b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076af16b2 2 bytes JMP 771e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[5660] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076af16bd 2 bytes JMP 771e85f1 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [5660] entry point in ".rdata" section 000000006b9671e6 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff8800448af00] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2268] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [10002350] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[2268] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [10003450] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[2268] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [100011e0] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x64\psdprotect.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [3532:3520] 0000000077692e65 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [3532:5540] 0000000077693e85 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [3532:4216] 000000006cdd8f48 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [3532:1976] 0000000077693e85 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [3532:860] 0000000077693e85 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{576573B4-11CF-44FF-8C1B-2098C3BF7FC3}\offreg.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [2888](2015-03-11 13:04:18) 000007fefa9b0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\39CC8AA9054EC6244CA281EEA4BD937517E2861D 0 bytes File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\64E47DCEA12EC237CDD40D100FFEED0AE39CFEDD 0 bytes File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\F7A4AA79F33BC12F04613C0FE6C586845A363756 0 bytes File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\0C115963A4B7323BD71E7DBB97B46121D6FD17C0 34510 bytes File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\42363866898F3F85307EEFC9E1595ABFCCAE4435 0 bytes File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\B48E1F5086944893AF1DAC604260B0A07731566F 0 bytes File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\0689AE44B98FB0AF780A10A9F18D31422020D6DD 0 bytes File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\3DB8F3A6FC2B8FCA0C664227128387F263F02FF4 36559 bytes File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\F4754352506FC40628E43C7372BFD1C938C0D50D 0 bytes File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\37BA2275328C257622107A55C05D94544C50B3D1 0 bytes File C:\Users\Rafal_W\AppData\Local\Mozilla\Firefox\Profiles\j0huhezc.default-1426070250734\cache2\entries\2E0C4058E084A83FFD5E59DF25634B4708213893 0 bytes ---- EOF - GMER 2.1 ----