GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-13 18:18:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.ES2O 298,09GB Running: o8wx8usj.exe; Driver: C:\Users\oem\AppData\Local\Temp\fxlcapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[2008] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000733b17fa 2 bytes CALL 763611a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2008] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000733b1860 2 bytes CALL 763611a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2008] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000733b1942 2 bytes JMP 754d7089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2008] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000733b194d 2 bytes JMP 754dcba6 C:\Windows\syswow64\WS2_32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000766e1401 2 bytes JMP 7638b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000766e1419 2 bytes JMP 7638b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000766e1431 2 bytes JMP 76409011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000766e144a 2 bytes CALL 763648ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766e14dd 2 bytes JMP 7640890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766e14f5 2 bytes JMP 76408ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000766e150d 2 bytes JMP 76408800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000766e1525 2 bytes JMP 76408bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000766e153d 2 bytes JMP 7637fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000766e1555 2 bytes JMP 76386907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000766e156d 2 bytes JMP 764090c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000766e1585 2 bytes JMP 76408c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000766e159d 2 bytes JMP 764087c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766e15b5 2 bytes JMP 7637fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766e15cd 2 bytes JMP 7638b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766e16b2 2 bytes JMP 76408f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766e16bd 2 bytes JMP 76408759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000730911a8 2 bytes [09, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000007309127d 2 bytes CALL 763614c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 0000000073091310 2 bytes CALL 763614c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000730913a8 2 bytes [09, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000073091422 2 bytes [09, 73] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1648] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000073091498 2 bytes [09, 73] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5092:736] 000007fefbd22af8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5092:6012] 000007fee4f75648 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2000](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2000] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2000](2014-12-17 22:06:30) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2000](2014-12-17 22:06:30) 000000006ff00000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0xB3 0x98 0x7A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0xB3 0x98 0x7A ... ---- EOF - GMER 2.1 ----