GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-03-01 17:23:26 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD2500KS-00MJB0 rev.02.01C03 232,89GB Running: nu3dkoqs.exe; Driver: C:\Users\WojSky\AppData\Local\Temp\pxddypog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000f5600 7 bytes [00, 66, F3, FF, 01, 70, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000f5608 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076001401 2 bytes JMP 7592b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076001419 2 bytes JMP 7592b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076001431 2 bytes JMP 759a9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007600144a 2 bytes CALL 759048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760014dd 2 bytes JMP 759a890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760014f5 2 bytes JMP 759a8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007600150d 2 bytes JMP 759a8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076001525 2 bytes JMP 759a8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007600153d 2 bytes JMP 7591fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076001555 2 bytes JMP 75926907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007600156d 2 bytes JMP 759a90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076001585 2 bytes JMP 759a8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007600159d 2 bytes JMP 759a87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760015b5 2 bytes JMP 7591fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760015cd 2 bytes JMP 7592b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760016b2 2 bytes JMP 759a8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760016bd 2 bytes JMP 759a8759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076001401 2 bytes JMP 7592b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076001419 2 bytes JMP 7592b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076001431 2 bytes JMP 759a9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007600144a 2 bytes CALL 759048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760014dd 2 bytes JMP 759a890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760014f5 2 bytes JMP 759a8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007600150d 2 bytes JMP 759a8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076001525 2 bytes JMP 759a8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007600153d 2 bytes JMP 7591fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076001555 2 bytes JMP 75926907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007600156d 2 bytes JMP 759a90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076001585 2 bytes JMP 759a8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007600159d 2 bytes JMP 759a87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760015b5 2 bytes JMP 7591fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760015cd 2 bytes JMP 7592b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760016b2 2 bytes JMP 759a8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe[6124] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760016bd 2 bytes JMP 759a8759 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Library C:\Users\WojSky\AppData\Local\Microsoft\Windows Sidebar\Gadgets\nvidia-gpu-temp.gadget\NvApiReader.dll (*** suspicious ***) @ C:\Program Files\Windows Sidebar\sidebar.exe [3216] (NvApiReader/Orbmu2k)(2015-02-09 16:35:29) 0000000070a60000 ---- EOF - GMER 2.1 ----