GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-02 13:47:10 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000024 ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: gmer.exe; Driver: C:\Users\Robert\AppData\Local\Temp\uxldypob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000079200 15 bytes [00, 28, F6, 01, 80, 1C, 6C, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000079210 11 bytes [00, 0E, FC, FF, 00, 05, C4, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\atiesrxx.exe[344] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffea766169a 4 bytes [66, A7, FE, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[344] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffea76616a2 4 bytes [66, A7, FE, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[344] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffea766181a 4 bytes [66, A7, FE, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[344] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffea7661832 4 bytes [66, A7, FE, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1044] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffea766169a 4 bytes [66, A7, FE, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1044] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffea76616a2 4 bytes [66, A7, FE, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1044] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffea766181a 4 bytes [66, A7, FE, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1044] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffea7661832 4 bytes [66, A7, FE, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1452] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffe98f81f6a 4 bytes [F8, 98, FE, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[1452] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffe98f81f82 4 bytes [F8, 98, FE, 7F] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[4832] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffe98f81f6a 4 bytes [F8, 98, FE, 7F] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[4832] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffe98f81f82 4 bytes [F8, 98, FE, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [744:752] fffff96000952b90 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3492:3496] 0000000000a31f36 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3492:4112] 0000000074bea301 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1332] (WindowsProtectManger Service/Fuyu LIMITED)(2014-11-28 11:09:11) 0000000000b50000 Process C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe (*** suspicious ***) @ C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe [2828] (Com(2014-11-25 12:53:08) 00007ff60c110000 Library C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\wllog.dll (*** suspicious ***) @ C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe [2828] (Window(2014-11-25 12:53:08) 00007ffe9b2c0000 Library C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\Microsoft.WindowsLive.Platform.Service.dll (*** suspicious ***) @ C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d(2014-11-25 12:53:08) 00007ffe889c0000 Library C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\bici.dll (*** suspicious ***) @ C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe [2828] (Windows(2014-11-25 12:53:08) 00007ffe9a600000 Library C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\Microsoft.WindowsLive.Platform.dll (*** suspicious ***) @ C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\Li(2014-11-25 12:53:08) 00007ffe937d0000 Library C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\wlcore.dll (*** suspicious ***) @ C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe [2828] (Windo(2014-11-25 12:53:08) 00007ffe9b2b0000 Library C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\Microsoft.WindowsLive.Platform.Eas.dll (*** suspicious ***) @ C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbw(2014-11-25 12:53:08) 00007ffe91410000 Library C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\Microsoft.WindowsLive.Platform.Calendar.dll (*** suspicious ***) @ C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3(2014-11-25 12:53:08) 00007ffe96860000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----