GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-01 22:15:08 Windows 6.1.7600 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2 ST310005 rev.CC38 931,51GB Running: wqtbpdgy.exe; Driver: C:\Users\Marek\AppData\Local\Temp\kwddikog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1732] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 000000007559d03c 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b91465 2 bytes [B9, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b914bb 2 bytes [B9, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b91465 2 bytes [B9, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b914bb 2 bytes [B9, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[1932] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000732d1a22 2 bytes [2D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1932] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000732d1ad0 2 bytes [2D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1932] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000732d1b08 2 bytes [2D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1932] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000732d1bba 2 bytes [2D, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1932] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000732d1bda 2 bytes [2D, 73] .text C:\Users\Marek\AppData\Roaming\uTorrent\uTorrent.exe[3780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b91465 2 bytes [B9, 76] .text C:\Users\Marek\AppData\Roaming\uTorrent\uTorrent.exe[3780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b914bb 2 bytes [B9, 76] .text ... * 2 .text C:\Users\Marek\AppData\Local\Flvto Youtube Downloader\FlvtoYoutubeDownloader.exe[3792] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076b91465 2 bytes [B9, 76] .text C:\Users\Marek\AppData\Local\Flvto Youtube Downloader\FlvtoYoutubeDownloader.exe[3792] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076b914bb 2 bytes [B9, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3812] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076c3590c 5 bytes JMP 00000001100077f0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b91465 2 bytes [B9, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b914bb 2 bytes [B9, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3812] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000637611a8 2 bytes [76, 63] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3812] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000637613a8 2 bytes [76, 63] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3812] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000063761422 2 bytes [76, 63] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3812] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000063761498 2 bytes [76, 63] .text C:\Users\Marek\AppData\Local\Viber\Viber.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b91465 2 bytes [B9, 76] .text C:\Users\Marek\AppData\Local\Viber\Viber.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b914bb 2 bytes [B9, 76] .text ... * 2 .text C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b91465 2 bytes [B9, 76] .text C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe[3132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b914bb 2 bytes [B9, 76] .text ... * 2 .text C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b91465 2 bytes [B9, 76] .text C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe[3112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b914bb 2 bytes [B9, 76] .text ... * 2 .text C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe[1500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b91465 2 bytes [B9, 76] .text C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe[1500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b914bb 2 bytes [B9, 76] .text ... * 2 ---- Processes - GMER 2.1 ---- Process C:\ASUS.SYS\config\DVMExportService.exe (*** suspicious ***) @ C:\ASUS.SYS\config\DVMExportService.exe [1676] (Windows Metadata Export Service/DeviceVM, Inc.)(2009-10-16 09:42:48) 0000000000400000 Process C:\Users\Marek\AppData\Local\Flvto Youtube Downloader\FlvtoYoutubeDownloader.exe (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Flvto Youtube Downloader\FlvtoYoutubeDownloader.exe [3792] (Flvto Youtube Downloader/Hotger)(2014-11-26 15:02:18) 0000000001170000 Library C:\Users\Marek\AppData\Local\Viber\qfacebook.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832](2015-09-10 16 0000000074f10000 Library C:\Users\Marek\AppData\Local\Viber\Qt5Core.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:31:26) 00000000711e0000 Library C:\Users\Marek\AppData\Local\Viber\icuin54.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (ICU I18N DLL/The ICU Project)(2015-03-13 22:11:40) 000000004a900000 Library C:\Users\Marek\AppData\Local\Viber\icuuc54.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (ICU Common DLL/The ICU Project)(2015-03-13 22:09:36) 0000000000190000 Library C:\Users\Marek\AppData\Local\Viber\icudt54.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (ICU Data DLL/The ICU Project)(2015-03-13 22:14:52) 000000006f570000 Library C:\Users\Marek\AppData\Local\Viber\Qt5Network.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:32:06) 000000006f210000 Library C:\Users\Marek\AppData\Local\Viber\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-08-12 13:33:04) 000000006ed60000 Library C:\Users\Marek\AppData\Local\Viber\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-08-12 13:33:52) 000000006e920000 Library C:\Users\Marek\AppData\Local\Viber\Qt5WebChannel.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:40:38) 0000000074db0000 Library C:\Users\Marek\AppData\Local\Viber\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-08-12 13:35:36) 000000006e4d0000 Library C:\Users\Marek\AppData\Local\Viber\Qt5WebEngineWidgets.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 08:54:12) 0000000071c70000 Library C:\Users\Marek\AppData\Local\Viber\Qt5WebEngine.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 08:53:56) 000000006d010000 Library C:\Users\Marek\AppData\Local\Viber\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-08-12 13:36:26) 000000006bff0000 Library C:\Users\Marek\AppData\Local\Viber\Qt5WebEngineCore.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-08-31 11:13:34) 0000000068c20000 Library C:\Users\Marek\AppData\Local\Viber\Qt5Positioning.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:40:08) 000000006cd30000 Library C:\Users\Marek\AppData\Local\Viber\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:31:50) 000000006cc60000 Library C:\Users\Marek\AppData\Local\Viber\Qt5QuickWidgets.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:38:30) 000000006cc50000 Library C:\Users\Marek\AppData\Local\Viber\Qt5Multimedia.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:40:38) 0000000068b90000 Library C:\Users\Marek\AppData\Local\Viber\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-08-31 10:30:02) 00000000664c0000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qdds.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:34:34) 0000000064740000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qgif.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:34:10) 0000000064730000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qicns.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:34:42) 00000000646c0000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qico.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:34:10) 00000000646b0000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qjp2.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:34:46) 0000000064630000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-08-12 13:34:22) 0000000064570000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qmng.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:34:42) 0000000064470000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qsvg.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832](2015-09-10 16:38:24) 0000000064400000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qtga.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:34:42) 0000000063990000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qtiff.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:34:44) 00000000643b0000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qwbmp.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:34:42) 00000000643a0000 Library C:\Users\Marek\AppData\Local\Viber\imageformats\qwebp.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:34:44) 0000000064340000 Library C:\Users\Marek\AppData\Local\Viber\QtQuick.2\qtquick2plugin.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832](2015-07-29 06:38:50) 0000000064060000 Library C:\Users\Marek\AppData\Local\Viber\QtQuick\Controls\qtquickcontrolsplugin.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832](2015-07-29 06:39:22) 0000000063fb0000 Library C:\Users\Marek\AppData\Local\Viber\QtQuick\Layouts\qquicklayoutsplugin.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832](2015-07-29 06:39:52) 0000000063f90000 Library C:\Users\Marek\AppData\Local\Viber\QtQuick\Window.2\windowplugin.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832](2015-07-29 06:38:52) 0000000063f60000 Library C:\Users\Marek\AppData\Local\Viber\QtLocation\declarative_location.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832](2015-08-12 13:37:02) 0000000063ef0000 Library C:\Users\Marek\AppData\Local\Viber\Qt5Location.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:40:42) 0000000063e90000 Library C:\Users\Marek\AppData\Local\Viber\QtPositioning\declarative_positioning.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832](2015-07-29 06:40:56) 0000000063e70000 Library C:\Users\Marek\AppData\Local\Viber\QtMultimedia\declarative_multimedia.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832](2015-07-29 06:41:46) 0000000063920000 Library C:\Users\Marek\AppData\Local\Viber\Qt5MultimediaQuick_p.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832] (C++ application development framework./The Qt Company Ltd)(2015-07-29 06:41:00) 0000000063900000 Library C:\Users\Marek\AppData\Local\Viber\QtQml\StateMachine\qtqmlstatemachine.dll (*** suspicious ***) @ C:\Users\Marek\AppData\Local\Viber\Viber.exe [3832](2015-07-29 06:38:52) 0000000063e60000 Library C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\sqlite3.dll (*** suspicious ***) @ C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe [3884](2009-06-27 09:11:12) 0000000060900000 Process C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe (*** suspicious ***) @ C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe [3132] (WebHelper/BitTorrent Inc.)(2015-10-15 07:41:19) 0000000001030000 Process C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe (*** suspicious ***) @ C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe [3112] (WebHelper/BitTorrent Inc.)(2015-10-15 07:41:19) 0000000001030000 Process C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe (*** suspicious ***) @ C:\Users\Marek\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe [1500] (WebHelper/BitTorrent Inc.)(2015-10-15 07:41:19) 0000000001030000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001122987654 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001122987654@041bbae7c5bc 0x42 0xA0 0x34 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001122987654@5c17d34f47d7 0x53 0xDE 0x16 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFB 0x38 0x5F 0x0D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001122987654 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001122987654@041bbae7c5bc 0x42 0xA0 0x34 0x7B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001122987654@5c17d34f47d7 0x53 0xDE 0x16 0x57 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFB 0x38 0x5F 0x0D ... ---- EOF - GMER 2.1 ----