GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-12-27 13:40:26
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-6 ST3500418AS rev.CC37 465,76GB
Running: 3fbem22y.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uwddakob.sys


---- User code sections - GMER 2.1 ----

.text    C:\Windows\SysWOW64\explorer.exe[2780] C:\Windows\SysWOW64\wsock32.dll!recv + 82                                                                                                00000000723017fa 2 bytes CALL 766311a9 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\explorer.exe[2780] C:\Windows\SysWOW64\wsock32.dll!recvfrom + 88                                                                                            0000000072301860 2 bytes CALL 766311a9 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\explorer.exe[2780] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 98                                                                                          0000000072301942 2 bytes JMP 76887089 C:\Windows\syswow64\WS2_32.dll
.text    C:\Windows\SysWOW64\explorer.exe[2780] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 109                                                                                         000000007230194d 2 bytes JMP 7688cba6 C:\Windows\syswow64\WS2_32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                    0000000076e71401 2 bytes JMP 7665b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                      0000000076e71419 2 bytes JMP 7665b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                    0000000076e71431 2 bytes JMP 766d8fd1 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                    0000000076e7144a 2 bytes CALL 7663489d C:\Windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                             * 9
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                       0000000076e714dd 2 bytes JMP 766d88c4 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                0000000076e714f5 2 bytes JMP 766d8aa0 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                       0000000076e7150d 2 bytes JMP 766d87ba C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                0000000076e71525 2 bytes JMP 766d8b8a C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                      0000000076e7153d 2 bytes JMP 7664fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                           0000000076e71555 2 bytes JMP 766568ef C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                    0000000076e7156d 2 bytes JMP 766d9089 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                      0000000076e71585 2 bytes JMP 766d8bea C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                         0000000076e7159d 2 bytes JMP 766d877e C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                      0000000076e715b5 2 bytes JMP 7664fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                    0000000076e715cd 2 bytes JMP 7665b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                0000000076e716b2 2 bytes JMP 766d8f4c C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                0000000076e716bd 2 bytes JMP 766d8713 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                          0000000076e71401 2 bytes JMP 7665b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                            0000000076e71419 2 bytes JMP 7665b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                          0000000076e71431 2 bytes JMP 766d8fd1 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                          0000000076e7144a 2 bytes CALL 7663489d C:\Windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                             * 9
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                             0000000076e714dd 2 bytes JMP 766d88c4 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                      0000000076e714f5 2 bytes JMP 766d8aa0 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                             0000000076e7150d 2 bytes JMP 766d87ba C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                      0000000076e71525 2 bytes JMP 766d8b8a C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                            0000000076e7153d 2 bytes JMP 7664fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                 0000000076e71555 2 bytes JMP 766568ef C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                          0000000076e7156d 2 bytes JMP 766d9089 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                            0000000076e71585 2 bytes JMP 766d8bea C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                               0000000076e7159d 2 bytes JMP 766d877e C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                            0000000076e715b5 2 bytes JMP 7664fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                          0000000076e715cd 2 bytes JMP 7665b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                      0000000076e716b2 2 bytes JMP 766d8f4c C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                      0000000076e716bd 2 bytes JMP 766d8713 C:\Windows\syswow64\kernel32.dll

---- Threads - GMER 2.1 ----

Thread   C:\Windows\system32\svchost.exe [144:1976]                                                                                                                                      000007fef8fa5fd0
Thread   C:\Windows\system32\svchost.exe [144:1968]                                                                                                                                      000007fef8f93438
Thread   C:\Windows\system32\svchost.exe [144:1960]                                                                                                                                      000007fef8fa63ec
Thread   C:\Windows\system32\svchost.exe [144:1964]                                                                                                                                      000007fef6f29e2c
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2788]                                                                                                                                    00000000000a0000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2812]                                                                                                                                    00000000003d0000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2820]                                                                                                                                    0000000000640000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2828]                                                                                                                                    00000000009e0000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2836]                                                                                                                                    0000000000a50000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2844]                                                                                                                                    0000000000c40000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2852]                                                                                                                                    0000000000cf0000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2860]                                                                                                                                    0000000000de0000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2868]                                                                                                                                    00000000025e0000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2876]                                                                                                                                    0000000002650000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2884]                                                                                                                                    0000000002740000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2892]                                                                                                                                    00000000027f0000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2900]                                                                                                                                    00000000028a0000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2908]                                                                                                                                    00000000029d0000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2916]                                                                                                                                    0000000002a80000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2924]                                                                                                                                    0000000002bf0000
Thread   C:\Windows\SysWOW64\explorer.exe [2780:2932]                                                                                                                                    0000000002c90000
---- Processes - GMER 2.1 ----

Process  C:\Users\Admin\AppData\Roaming\Windows.exe (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Windows.exe [2376](2013-05-30 11:47:46)                                        0000000000400000
Library  C:\Users\Admin\AppData\Roaming\ntdtcstp.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Windows.exe [2376](2013-05-31 13:42:56)                                       0000000000290000
Library  C:\Users\Admin\AppData\Roaming\newnext.me\nengine.dll (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [2384] (NewNext Helper Engine/NewNextDotMe)(2013-12-24 12:02:10)  0000000071aa0000
Process  C:\Users\Admin\AppData\Roaming\System32\svchost.exe (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\System32\svchost.exe [2556](2015-01-28 14:44:38)                      0000000000400000

---- EOF - GMER 2.1 ----
