GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-15 22:44:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE4O 698,64GB Running: w0d237ci.exe; Driver: C:\Users\EWAMAR~1\AppData\Local\Temp\uxtiruod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074d01401 2 bytes JMP 75b8b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074d01419 2 bytes JMP 75b8b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074d01431 2 bytes JMP 75c08fd1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074d0144a 2 bytes CALL 75b6489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074d014dd 2 bytes JMP 75c088c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074d014f5 2 bytes JMP 75c08aa0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074d0150d 2 bytes JMP 75c087ba C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074d01525 2 bytes JMP 75c08b8a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074d0153d 2 bytes JMP 75b7fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074d01555 2 bytes JMP 75b868ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074d0156d 2 bytes JMP 75c09089 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074d01585 2 bytes JMP 75c08bea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074d0159d 2 bytes JMP 75c0877e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074d015b5 2 bytes JMP 75b7fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074d015cd 2 bytes JMP 75b8b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074d016b2 2 bytes JMP 75c08f4c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074d016bd 2 bytes JMP 75c08713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074d01401 2 bytes JMP 75b8b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074d01419 2 bytes JMP 75b8b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074d01431 2 bytes JMP 75c08fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074d0144a 2 bytes CALL 75b6489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074d014dd 2 bytes JMP 75c088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074d014f5 2 bytes JMP 75c08aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074d0150d 2 bytes JMP 75c087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074d01525 2 bytes JMP 75c08b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074d0153d 2 bytes JMP 75b7fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074d01555 2 bytes JMP 75b868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074d0156d 2 bytes JMP 75c09089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074d01585 2 bytes JMP 75c08bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074d0159d 2 bytes JMP 75c0877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074d015b5 2 bytes JMP 75b7fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074d015cd 2 bytes JMP 75b8b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074d016b2 2 bytes JMP 75c08f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074d016bd 2 bytes JMP 75c08713 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [924:1168] 000007fefa978274 Thread C:\Windows\system32\svchost.exe [924:1280] 000007fefa978274 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\PDFSFilter\Parameters\{5fe6b717-ba82-11e1-85fc-806e6f6e6963}@NumExtendFileExtentsSaved 28402 Reg HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@LastBootPlanUserTime ?Tue?, ?Dec ?15 ?15, 09:51:17 PM????????L?????????????????????? ---- EOF - GMER 2.1 ----