GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-01 20:26:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS725050A9A364 rev.PC4OC72E 465,76GB Running: 874n8nlo.exe; Driver: C:\Users\misiek\AppData\Local\Temp\ufldypod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c41401 2 bytes JMP 76b6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c41419 2 bytes JMP 76b6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c41431 2 bytes JMP 76be8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c4144a 2 bytes CALL 76b4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c414dd 2 bytes JMP 76be88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c414f5 2 bytes JMP 76be8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c4150d 2 bytes JMP 76be87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c41525 2 bytes JMP 76be8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c4153d 2 bytes JMP 76b5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c41555 2 bytes JMP 76b668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c4156d 2 bytes JMP 76be9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c41585 2 bytes JMP 76be8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c4159d 2 bytes JMP 76be877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c415b5 2 bytes JMP 76b5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c415cd 2 bytes JMP 76b6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c416b2 2 bytes JMP 76be8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[1216] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c416bd 2 bytes JMP 76be8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c41401 2 bytes JMP 76b6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c41419 2 bytes JMP 76b6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c41431 2 bytes JMP 76be8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c4144a 2 bytes CALL 76b4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c414dd 2 bytes JMP 76be88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c414f5 2 bytes JMP 76be8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c4150d 2 bytes JMP 76be87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c41525 2 bytes JMP 76be8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c4153d 2 bytes JMP 76b5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c41555 2 bytes JMP 76b668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c4156d 2 bytes JMP 76be9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c41585 2 bytes JMP 76be8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c4159d 2 bytes JMP 76be877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c415b5 2 bytes JMP 76b5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c415cd 2 bytes JMP 76b6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c416b2 2 bytes JMP 76be8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c416bd 2 bytes JMP 76be8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c41401 2 bytes JMP 76b6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c41419 2 bytes JMP 76b6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c41431 2 bytes JMP 76be8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c4144a 2 bytes CALL 76b4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c414dd 2 bytes JMP 76be88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c414f5 2 bytes JMP 76be8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c4150d 2 bytes JMP 76be87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c41525 2 bytes JMP 76be8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c4153d 2 bytes JMP 76b5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c41555 2 bytes JMP 76b668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c4156d 2 bytes JMP 76be9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c41585 2 bytes JMP 76be8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c4159d 2 bytes JMP 76be877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c415b5 2 bytes JMP 76b5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c415cd 2 bytes JMP 76b6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c416b2 2 bytes JMP 76be8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c416bd 2 bytes JMP 76be8713 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027139b7b85 (not active ControlSet) Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9CE61A64-54A4-4ED5-AE85-51DD21CB8129}\Connection@Name isatap.{90A29E0A-45CC-44E4-9648-6B9B8153C9EF} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{9CE61A64-54A4-4ED5-AE85-51DD21CB8129}?\Device\{879C5D6B-E046-4BD5-AD95-6F97200DD15F}?\Device\{E7601F35-001D-4A75-BAC9-72055DCEC2E3}?\Device\{80F96960-AADE-4E33-BDCB-BF6E570E1FA2}?\Device\{33E3BF37-5556-4F90-BEA6-E235B7D576A8}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{9CE61A64-54A4-4ED5-AE85-51DD21CB8129}"?"{879C5D6B-E046-4BD5-AD95-6F97200DD15F}"?"{E7601F35-001D-4A75-BAC9-72055DCEC2E3}"?"{80F96960-AADE-4E33-BDCB-BF6E570E1FA2}"?"{33E3BF37-5556-4F90-BEA6-E235B7D576A8}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{9CE61A64-54A4-4ED5-AE85-51DD21CB8129}?\Device\TCPIP6TUNNEL_{879C5D6B-E046-4BD5-AD95-6F97200DD15F}?\Device\TCPIP6TUNNEL_{E7601F35-001D-4A75-BAC9-72055DCEC2E3}?\Device\TCPIP6TUNNEL_{80F96960-AADE-4E33-BDCB-BF6E570E1FA2}?\Device\TCPIP6TUNNEL_{33E3BF37-5556-4F90-BEA6-E235B7D576A8}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e6465c8 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027139b7b85 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027139b7b85@485929116f95 0x1A 0xA5 0x5C 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9CE61A64-54A4-4ED5-AE85-51DD21CB8129}@InterfaceName isatap.{90A29E0A-45CC-44E4-9648-6B9B8153C9EF} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9CE61A64-54A4-4ED5-AE85-51DD21CB8129}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\00247e6465c8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\0027139b7b85 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\BTHPORT\Parameters\Keys\0027139b7b85@485929116f95 0x1A 0xA5 0x5C 0xD6 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----