GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-19 21:08:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000LM024_HN-M101MBB rev.2AR10001 931,51GB Running: r5494jp5.exe; Driver: C:\Users\Lewy\AppData\Local\Temp\kxldapob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033af000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033af02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2112] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000074f61f0e 7 bytes JMP 0000000172801690 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2112] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000074f65bad 7 bytes JMP 00000001728011a4 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2112] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074f71409 7 bytes JMP 0000000172801285 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2112] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000074f7ea45 7 bytes JMP 000000017280123f .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2112] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074f8b21b 5 bytes JMP 00000001728015a5 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2112] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075008e24 7 bytes JMP 0000000172801334 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2112] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075008ea9 5 bytes JMP 00000001728016d1 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2112] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000750091ff 5 bytes JMP 0000000172801708 .text C:\Program Files (x86)\GamingMouse\hid.exe[2128] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000074f61f0e 7 bytes JMP 0000000172801690 .text C:\Program Files (x86)\GamingMouse\hid.exe[2128] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000074f65bad 7 bytes JMP 00000001728011a4 .text C:\Program Files (x86)\GamingMouse\hid.exe[2128] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074f71409 7 bytes JMP 0000000172801285 .text C:\Program Files (x86)\GamingMouse\hid.exe[2128] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000074f7ea45 7 bytes JMP 000000017280123f .text C:\Program Files (x86)\GamingMouse\hid.exe[2128] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074f8b21b 5 bytes JMP 00000001728015a5 .text C:\Program Files (x86)\GamingMouse\hid.exe[2128] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075008e24 7 bytes JMP 0000000172801334 .text C:\Program Files (x86)\GamingMouse\hid.exe[2128] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075008ea9 5 bytes JMP 00000001728016d1 .text C:\Program Files (x86)\GamingMouse\hid.exe[2128] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000750091ff 5 bytes JMP 0000000172801708 .text C:\ProgramData\DatacardService\DCSHelper.exe[2288] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000074f61f0e 7 bytes JMP 0000000172801690 .text C:\ProgramData\DatacardService\DCSHelper.exe[2288] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000074f65bad 7 bytes JMP 00000001728011a4 .text C:\ProgramData\DatacardService\DCSHelper.exe[2288] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074f71409 7 bytes JMP 0000000172801285 .text C:\ProgramData\DatacardService\DCSHelper.exe[2288] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000074f7ea45 7 bytes JMP 000000017280123f .text C:\ProgramData\DatacardService\DCSHelper.exe[2288] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074f8b21b 5 bytes JMP 00000001728015a5 .text C:\ProgramData\DatacardService\DCSHelper.exe[2288] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075008e24 7 bytes JMP 0000000172801334 .text C:\ProgramData\DatacardService\DCSHelper.exe[2288] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075008ea9 5 bytes JMP 00000001728016d1 .text C:\ProgramData\DatacardService\DCSHelper.exe[2288] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000750091ff 5 bytes JMP 0000000172801708 .text C:\Windows\SysWOW64\PnkBstrA.exe[3288] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000725e1a22 2 bytes [5E, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3288] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000725e1ad0 2 bytes [5E, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3288] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000725e1b08 2 bytes [5E, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3288] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000725e1bba 2 bytes [5E, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3288] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000725e1bda 2 bytes [5E, 72] .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000074f61f0e 7 bytes JMP 0000000172801690 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000074f65bad 7 bytes JMP 00000001728011a4 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000074f71409 7 bytes JMP 0000000172801285 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 0000000074f7ea45 7 bytes JMP 000000017280123f .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000074f8b21b 5 bytes JMP 00000001728015a5 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000075008e24 7 bytes JMP 0000000172801334 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075008ea9 5 bytes JMP 00000001728016d1 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000750091ff 5 bytes JMP 0000000172801708 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000750a1d29 5 bytes JMP 00000001728011bd .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000750a1dd7 5 bytes JMP 0000000172801014 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000750a2ab1 5 bytes JMP 0000000172801550 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000750a2d17 5 bytes JMP 000000017280126c .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007543e96b 5 bytes JMP 00000001728015be .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007543eba5 5 bytes JMP 0000000172801181 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076be8a29 5 bytes JMP 0000000172801721 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076bf4572 5 bytes JMP 000000017280109b .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076c0e567 5 bytes JMP 0000000172801410 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076c47a5c 5 bytes JMP 00000001728015cd .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075655ea5 5 bytes JMP 00000001728015f5 .text D:\DOWNLOADS\r5494jp5.exe[4868] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075689d0b 5 bytes JMP 0000000172801217 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3272](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3272] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3272](2015-01-17 21:40:41) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3272](2015-01-17 21:40:41) 000000006ff00000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\2016d8da45c9 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\2016d8da45c9 (not active ControlSet) ---- EOF - GMER 2.1 ----