GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-02 20:36:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000051 PLEXTOR_ rev.1.03 119,24GB Running: c31lggwj.exe; Driver: C:\Users\Beatka\AppData\Local\Temp\awrdipob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075631401 2 bytes JMP 75c8b20b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075631419 2 bytes JMP 75c8b336 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075631431 2 bytes JMP 75d08f39 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007563144a 2 bytes CALL 75c64885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000756314dd 2 bytes JMP 75d08832 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000756314f5 2 bytes JMP 75d08a08 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007563150d 2 bytes JMP 75d08728 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075631525 2 bytes JMP 75d08af2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007563153d 2 bytes JMP 75c7fc98 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075631555 2 bytes JMP 75c868df C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007563156d 2 bytes JMP 75d08ff1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075631585 2 bytes JMP 75d08b52 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007563159d 2 bytes JMP 75d086ec C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000756315b5 2 bytes JMP 75c7fd31 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000756315cd 2 bytes JMP 75c8b2cc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000756316b2 2 bytes JMP 75d08eb4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Service.exe[2312] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000756316bd 2 bytes JMP 75d08681 C:\Windows\syswow64\KERNEL32.dll .text C:\Windows\SysWOW64\msiexec.exe[4604] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770ffc90 5 bytes JMP 000000007ef938b1 .text C:\Windows\SysWOW64\msiexec.exe[4604] C:\Windows\syswow64\ws2_32.dll!GetAddrInfoW 0000000074ea4889 5 bytes JMP 0000000100221370 ? C:\Windows\system32\mssprxy.dll [5812] entry point in ".rdata" section 0000000073b471e6 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\msiexec.exe [4604:3884] 000000007ef9392e ---- Processes - GMER 2.1 ---- Library C:\Users\Beatka\AppData\Local\Temp\cdo3939629947.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [4604] (Microsoft CDO for Windows Library/Microsoft Corporation)(2015-09-02 10:19:27) 0000000000220000 Library C:\Users\Beatka\AppData\Local\Temp\nsu80B2.tmp\Registry.dll (*** suspicious ***) @ C:\Intel\Logs\ADOBE Photoshop CS6 Portable [PL]\PhotoshopCS6Portable.exe [5812](2015-09-02 10:54:04) 0000000010000000 Library C:\Users\Beatka\AppData\Local\Temp\nsu80B2.tmp\newadvsplash.dll (*** suspicious ***) @ C:\Intel\Logs\ADOBE Photoshop CS6 Portable [PL]\PhotoshopCS6Portable.exe [5812](2015-09-02 10:54:05) 0000000001cc0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cbb58274b18 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\543530a4a532 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cbb58274b18 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\543530a4a532 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\Beatka\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom_new 10770740 bytes File C:\Users\Beatka\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist_new 0 bytes File C:\Users\Beatka\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist_new 0 bytes File C:\Users\Beatka\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist_new 0 bytes File C:\Users\Beatka\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist_new 0 bytes File C:\Users\Beatka\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist_new 0 bytes File C:\Users\Beatka\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List_new 0 bytes ---- EOF - GMER 2.1 ----