GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-18 23:40:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.D005DEM1 465,76GB Running: t45q6yg5.exe; Driver: C:\Users\Bartek\AppData\Local\Temp\kwrdipob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7618b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7618b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 76208fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 7616489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 762088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 76208aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 762087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 76208b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7617fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767c1555 2 bytes JMP 761868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 76209089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 76208bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 7620877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7617fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7618b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 76208f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 76208713 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737e4bee8 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737e4bee8 (not active ControlSet) ---- EOF - GMER 2.2 ----