GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-09 22:16:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0006 465,76GB Running: uwe2cbsf.exe; Driver: C:\Users\Maciej\AppData\Local\Temp\ugdiapod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000757b1401 2 bytes JMP 755ab21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000757b1419 2 bytes JMP 755ab346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000757b1431 2 bytes JMP 75628ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000757b144a 2 bytes CALL 755848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757b14dd 2 bytes JMP 756287a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757b14f5 2 bytes JMP 75628978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000757b150d 2 bytes JMP 75628698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000757b1525 2 bytes JMP 75628a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000757b153d 2 bytes JMP 7559fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000757b1555 2 bytes JMP 755a68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000757b156d 2 bytes JMP 75628f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000757b1585 2 bytes JMP 75628ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000757b159d 2 bytes JMP 7562865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757b15b5 2 bytes JMP 7559fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757b15cd 2 bytes JMP 755ab2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757b16b2 2 bytes JMP 75628e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757b16bd 2 bytes JMP 756285f1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\{77ac787e-a09d-9957-77ac-c787ea09e1fa}\Robin Thicke - Blurred Lines (ft. T.I. .exe[4932] C:\Windows\syswow64\kernel32.dll!CreateEventA + 8 0000000075583254 7 bytes JMP 00000001011d1a30 .text C:\ProgramData\{77ac787e-a09d-9957-77ac-c787ea09e1fa}\Robin Thicke - Blurred Lines (ft. T.I. .exe[4932] C:\Windows\syswow64\kernel32.dll!lstrcmpW + 30 000000007558590f 7 bytes JMP 00000001011d1c30 .text C:\ProgramData\{77ac787e-a09d-9957-77ac-c787ea09e1fa}\Robin Thicke - Blurred Lines (ft. T.I. .exe[4932] C:\Windows\syswow64\kernel32.dll!LoadResource + 8 000000007558591c 7 bytes JMP 00000001011d25f0 .text C:\ProgramData\{77ac787e-a09d-9957-77ac-c787ea09e1fa}\Robin Thicke - Blurred Lines (ft. T.I. .exe[4932] C:\Windows\syswow64\kernel32.dll!LockResource + 19 0000000075585934 7 bytes JMP 00000001011d1000 .text C:\ProgramData\{77ac787e-a09d-9957-77ac-c787ea09e1fa}\Robin Thicke - Blurred Lines (ft. T.I. .exe[4932] C:\Windows\syswow64\kernel32.dll!GetLocalTime + 30 0000000075585a8c 7 bytes JMP 00000001011d2a70 .text C:\ProgramData\{77ac787e-a09d-9957-77ac-c787ea09e1fa}\Robin Thicke - Blurred Lines (ft. T.I. .exe[4932] C:\Windows\syswow64\kernel32.dll!GetQueuedCompletionStatus + 19 000000007559d3a6 7 bytes JMP 00000001011d2d10 .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000757b1401 2 bytes JMP 755ab21b C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000757b1419 2 bytes JMP 755ab346 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000757b1431 2 bytes JMP 75628ea9 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000757b144a 2 bytes CALL 755848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000757b14dd 2 bytes JMP 756287a2 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000757b14f5 2 bytes JMP 75628978 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000757b150d 2 bytes JMP 75628698 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000757b1525 2 bytes JMP 75628a62 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000757b153d 2 bytes JMP 7559fca8 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000757b1555 2 bytes JMP 755a68ef C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000757b156d 2 bytes JMP 75628f61 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000757b1585 2 bytes JMP 75628ac2 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000757b159d 2 bytes JMP 7562865c C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000757b15b5 2 bytes JMP 7559fd41 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000757b15cd 2 bytes JMP 755ab2dc C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000757b16b2 2 bytes JMP 75628e24 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\Sony\VAIOCA~1\Iolo\IOLOTO~1.EXE[8996] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000757b16bd 2 bytes JMP 756285f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000757b1401 2 bytes JMP 755ab21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000757b1419 2 bytes JMP 755ab346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000757b1431 2 bytes JMP 75628ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000757b144a 2 bytes CALL 755848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757b14dd 2 bytes JMP 756287a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757b14f5 2 bytes JMP 75628978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000757b150d 2 bytes JMP 75628698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000757b1525 2 bytes JMP 75628a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000757b153d 2 bytes JMP 7559fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000757b1555 2 bytes JMP 755a68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000757b156d 2 bytes JMP 75628f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000757b1585 2 bytes JMP 75628ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000757b159d 2 bytes JMP 7562865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757b15b5 2 bytes JMP 7559fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757b15cd 2 bytes JMP 755ab2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757b16b2 2 bytes JMP 75628e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757b16bd 2 bytes JMP 756285f1 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [7252] entry point in ".rdata" section 00000000713e71e6 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4500:5040] 000007fefb172bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4500:3224] 000007feed6f4830 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4500:4536] 000007fef9cc5124 ---- Processes - GMER 2.1 ---- Process C:\Users\Maciej\AppData\Roaming\blueconnect\ouc.exe (*** suspicious ***) @ C:\Users\Maciej\AppData\Roaming\blueconnect\ouc.exe [4252] (Online Update Clinet/Huawei Technologies Co., Ltd.)(2012-12-20 12:06:28) 0000000000400000 Library C:\Windows\System32\QuickTime\QuickTimeAuthoring.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE N 0000000066ec0000 Library C:\Windows\System32\QuickTime\QuickTimeCapture.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE NOT F 0000000067040000 Library C:\Windows\System32\QuickTime\QuickTimeEffects.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE NOT F 0000000067090000 Library C:\Windows\System32\QuickTime\QuickTimeEssentials.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE 00000000672d0000 Library C:\Windows\System32\QuickTime\QuickTimeImage.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE NOT FOUND 0000000067120000 Library C:\Windows\System32\QuickTime\QuickTimeInternetExtras.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE NOT FOUND) 0000000066df0000 Library C:\Windows\System32\QuickTime\QuickTimeMPEG.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE NOT FOUND) 0000000067260000 Library C:\Windows\System32\QuickTime\QuickTimeMPEG4.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE NOT FOUND 0000000067350000 Library C:\Windows\System32\QuickTime\QuickTimeMPEG4Authoring.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE NOT FOUND) 00000000673c0000 Library C:\Windows\System32\QuickTime\QuickTimeMusic.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE NOT FOUND 00000000671a0000 Library C:\Windows\System32\QuickTime\QuickTimeStreaming.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE N 0000000066c20000 Library C:\Windows\System32\QuickTime\QuickTimeStreamingAuthoring.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE NOT FOUND) 00000000675e0000 Library C:\Windows\System32\QuickTime\QuickTimeStreamingExtras.qtx (*** suspicious ***) @ C:\Program Files (x86)\QuickTime\qttask.exe [4808] (FILE NOT FOUND) 0000000067640000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78ba4ce2 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78ba4ce2@549b12198613 0x91 0x0A 0x95 0x15 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78ba4ce2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78ba4ce2@549b12198613 0x91 0x0A 0x95 0x15 ... ---- EOF - GMER 2.1 ----