GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-02 13:13:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 KINGSTON rev.506A 111,79GB Running: diz0xzjy.exe; Driver: C:\Users\Admin\AppData\Local\Temp\awddakob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000164c00 7 bytes [00, 93, F3, FF, 41, A4, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000164c08 3 bytes [00, 07, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075b41401 2 bytes JMP 773ab1ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075b41419 2 bytes JMP 773ab31a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075b41431 2 bytes JMP 77428f09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075b4144a 2 bytes CALL 77384885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075b414dd 2 bytes JMP 77428802 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075b414f5 2 bytes JMP 774289d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075b4150d 2 bytes JMP 774286f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075b41525 2 bytes JMP 77428ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075b4153d 2 bytes JMP 7739fc78 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075b41555 2 bytes JMP 773a68bf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075b4156d 2 bytes JMP 77428fc1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075b41585 2 bytes JMP 77428b22 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075b4159d 2 bytes JMP 774286bc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075b415b5 2 bytes JMP 7739fd11 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075b415cd 2 bytes JMP 773ab2b0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075b416b2 2 bytes JMP 77428e84 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075b416bd 2 bytes JMP 77428651 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd9e3460 7 bytes JMP 000007fffd9d00d8 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd9fa590 6 bytes JMP 000007fffd9d0148 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd9fac00 5 bytes JMP 000007fffd9d0180 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd9fada0 5 bytes JMP 000007fffd9d0110 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe3689e0 8 bytes JMP 000007fffd9d01f0 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe36be40 8 bytes JMP 000007fffd9d01b8 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef737dc88 5 bytes JMP 000007fff70c00d8 .text C:\Windows\system32\Dwm.exe[2612] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef737de10 5 bytes JMP 000007fff70c0110 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1100:1696] 000007fefb978274 Thread C:\Windows\system32\svchost.exe [1100:2440] 000007fefb978274 Thread C:\Windows\System32\svchost.exe [3908:4572] 000007fefbaa9688 ---- Processes - GMER 2.1 ---- Library c:\users\admin\appdata\local\temp\7zs7b0b\hpslpsvc64.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [3568] (HP Network Devices Support/Hewlett-Packard Co.)(2013-09-03 20:11:58) 0000000180000000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68b818b8 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68b818b8@00037aa344ea 0x9C 0xE6 0xEF 0xB3 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68b818b8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68b818b8@00037aa344ea 0x9C 0xE6 0xEF 0xB3 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y2278D7Q\LoguĊ\x203a - Komputerowe Gry Logopedyczne (1).exe 1 ---- EOF - GMER 2.1 ----