GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-27 12:01:46 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000BEVT-22A0RT0 rev.01.01A01 465,76GB Running: guvis4m9.exe; Driver: C:\Users\UKASZ~1\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000757a8769 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075441401 2 bytes JMP 757cb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075441419 2 bytes JMP 757cb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075441431 2 bytes JMP 75848f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007544144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000754414dd 2 bytes JMP 75848832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000754414f5 2 bytes JMP 75848a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007544150d 2 bytes JMP 75848728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075441525 2 bytes JMP 75848af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007544153d 2 bytes JMP 757bfc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075441555 2 bytes JMP 757c68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007544156d 2 bytes JMP 75848ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075441585 2 bytes JMP 75848b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007544159d 2 bytes JMP 758486ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000754415b5 2 bytes JMP 757bfd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000754415cd 2 bytes JMP 757cb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000754416b2 2 bytes JMP 75848eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1872] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000754416bd 2 bytes JMP 75848681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075441401 2 bytes JMP 757cb20b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075441419 2 bytes JMP 757cb336 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075441431 2 bytes JMP 75848f39 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007544144a 2 bytes CALL 757a4885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000754414dd 2 bytes JMP 75848832 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000754414f5 2 bytes JMP 75848a08 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007544150d 2 bytes JMP 75848728 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075441525 2 bytes JMP 75848af2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007544153d 2 bytes JMP 757bfc98 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075441555 2 bytes JMP 757c68df C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007544156d 2 bytes JMP 75848ff1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075441585 2 bytes JMP 75848b52 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007544159d 2 bytes JMP 758486ec C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000754415b5 2 bytes JMP 757bfd31 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000754415cd 2 bytes JMP 757cb2cc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000754416b2 2 bytes JMP 75848eb4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe[2164] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000754416bd 2 bytes JMP 75848681 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075441401 2 bytes JMP 757cb20b C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075441419 2 bytes JMP 757cb336 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075441431 2 bytes JMP 75848f39 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007544144a 2 bytes CALL 757a4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000754414dd 2 bytes JMP 75848832 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000754414f5 2 bytes JMP 75848a08 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007544150d 2 bytes JMP 75848728 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075441525 2 bytes JMP 75848af2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007544153d 2 bytes JMP 757bfc98 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075441555 2 bytes JMP 757c68df C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007544156d 2 bytes JMP 75848ff1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075441585 2 bytes JMP 75848b52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007544159d 2 bytes JMP 758486ec C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000754415b5 2 bytes JMP 757bfd31 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000754415cd 2 bytes JMP 757cb2cc C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000754416b2 2 bytes JMP 75848eb4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Łukasz\AppData\Roaming\Spotify\Spotify.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000754416bd 2 bytes JMP 75848681 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [4236:6108] 000007fef7dd9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\406186a90ad5 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\406186a90ad5@0ca694b96d1e 0x23 0x78 0xD2 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\406186a90ad5@b869c203b8b6 0x17 0xCF 0x77 0xDA ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A0A9109E-2FF8-42FD-A0B2-ABD2D601B050}@LeaseObtainedTime 1456564785 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A0A9109E-2FF8-42FD-A0B2-ABD2D601B050}@T1 1456564815 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A0A9109E-2FF8-42FD-A0B2-ABD2D601B050}@T2 1456564837 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A0A9109E-2FF8-42FD-A0B2-ABD2D601B050}@LeaseTerminatesTime 1456564845 Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{a0a9109e-2ff8-42fd-a0b2-abd2d601b050}@Dhcpv6MaxLeaseExpireTime 1456564861 Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{a0a9109e-2ff8-42fd-a0b2-abd2d601b050}@Dhcpv6LeaseObtainedTime 1456564801 Reg HKLM\SYSTEM\CurrentControlSet\services\TrustedInstaller@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\TrustedInstaller Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\406186a90ad5 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\406186a90ad5@0ca694b96d1e 0x23 0x78 0xD2 0x38 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\406186a90ad5@b869c203b8b6 0x17 0xCF 0x77 0xDA ... ---- EOF - GMER 2.1 ----