GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-09 18:26:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0005 465,76GB Running: 5cvxj5hf.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pwriykow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074b18791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075241401 2 bytes JMP 74b3b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075241419 2 bytes JMP 74b3b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075241431 2 bytes JMP 74bb8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007524144a 2 bytes CALL 74b148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000752414dd 2 bytes JMP 74bb87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000752414f5 2 bytes JMP 74bb8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007524150d 2 bytes JMP 74bb8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075241525 2 bytes JMP 74bb8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007524153d 2 bytes JMP 74b2fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075241555 2 bytes JMP 74b368ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007524156d 2 bytes JMP 74bb8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075241585 2 bytes JMP 74bb8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007524159d 2 bytes JMP 74bb865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000752415b5 2 bytes JMP 74b2fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000752415cd 2 bytes JMP 74b3b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000752416b2 2 bytes JMP 74bb8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2792] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000752416bd 2 bytes JMP 74bb85f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075241401 2 bytes JMP 74b3b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075241419 2 bytes JMP 74b3b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075241431 2 bytes JMP 74bb8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007524144a 2 bytes CALL 74b148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752414dd 2 bytes JMP 74bb87a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752414f5 2 bytes JMP 74bb8978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007524150d 2 bytes JMP 74bb8698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075241525 2 bytes JMP 74bb8a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007524153d 2 bytes JMP 74b2fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075241555 2 bytes JMP 74b368ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007524156d 2 bytes JMP 74bb8f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075241585 2 bytes JMP 74bb8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007524159d 2 bytes JMP 74bb865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752415b5 2 bytes JMP 74b2fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752415cd 2 bytes JMP 74b3b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752416b2 2 bytes JMP 74bb8e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.19.2\dsrlte.exe[3740] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752416bd 2 bytes JMP 74bb85f1 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800107be94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800107bc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107c654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800107ca50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800107c8ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8003b332c0 Device \FileSystem\fastfat \Fat fffffa80079302c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800734b2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80072ca2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{E6D59CE0-D97A-4EF9-9076-08D5D7986DC6} fffffa80074a12c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800734b2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800734b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2C5AEE37-D534-4139-B6F4-A55CBE4496FC} fffffa80074a12c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80074a12c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800734b2c0 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\b6e31346-5839-4cca-ab24-0578c508b4f4\maintainer.exe (*** suspicious ***) @ C:\ProgramData\b6e31346-5839-4cca-ab24-0578c508b4f4\maintainer.exe [3060](2014-10-29 22:08:45) 0000000000080000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1692](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1692] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1692](2012-11-21 19:29:16) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [1692](2012-11-21 19:29:16) 000000006ff00000 Process C:\Users\Mateusz\AppData\Roaming\VOPackage\VOsrv.exe (*** suspicious ***) @ C:\Users\Mateusz\AppData\Roaming\VOPackage\VOsrv.exe [1832](2014-09-07 15:47:03) 00000000003b0000 ---- EOF - GMER 2.1 ----