GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-20 23:53:27 Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502HJ rev.1AJ10001 465,76GB Running: sd9oweil.exe; Driver: C:\Users\MARCINO\AppData\Local\Temp\pxtiifog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600017de00 3 bytes [C0, 83, 02] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 4 fffff9600017de04 3 bytes [01, C3, FA] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?CreateDifferenceFile@CC2CDifferenceFile@@UAEGPAD00@Z 00000000667236bd 5 bytes JMP 00000001026c00b0 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?RestoreOriginalFile@CC2CDifferenceFile@@UAEGPAD00@Z 0000000066723e40 5 bytes JMP 00000001026c0150 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?MakeAsciiDifferenceFile@CC2CDifferenceFile@@UAEGPAD0@Z 00000000667243c1 5 bytes JMP 00000001026c0100 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?LoadJumpDbFromBuffer@CJumpRun@@UAEGKPAE@Z 000000006672a952 5 bytes JMP 00000001026c03c0 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?LoadJumpDbFromBuffer@CJumpRun@@UAEGKPAE@Z + 126 000000006672a9d0 13 bytes [2A, 9D, FF, 95, 2E, C4, 1E, ...] .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?GetKeyData@CKeyBasic@@UAEGPAE@Z 000000006672e35f 5 bytes JMP 00000001026c0630 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?PerformTransform@CTransformXor@@UAEGVCDataArea@@0@Z 000000006672ea2f 5 bytes JMP 00000001026bf970 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?PerformTransform@CTransformXor@@UAEGVCDataArea@@0@Z + 768 000000006672ed2f 15 bytes [90, 6A, 23, E7, 76, 50, 88, ...] .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?PerformTransform@CTransformRandomAccumulate@@UAEGVCDataArea@@0@Z 000000006672ee42 5 bytes JMP 00000001026bf700 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?PerformTransform@CTransformRandomAccumulate@@UAEGVCDataArea@@0@Z + 850 000000006672f194 5 bytes JMP 00000001026ba050 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?LoadModuleDetails@CModuleMonitor@@QAEGPAD@Z 0000000066733ce7 5 bytes JMP 00000001026bf220 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?ScanModule@CModuleMonitor@@QAEGKG@Z 00000000667342f0 5 bytes JMP 00000001026bf490 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?IsModuleChecksumOkay@CModuleMonitor@@QAEGXZ 0000000066734a23 5 bytes JMP 00000001026c0b10 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?IsModuleWithinLimits@CModuleMonitor@@QAEGKKK@Z 0000000066734a59 5 bytes JMP 00000001026c0da0 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?SetupInterruptHandler@CAltAsc@@QAEGPAX00PAK1@Z 00000000667590d5 5 bytes JMP 00000001026c0010 .text C:\Program Files (x86)\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe[2992] C:\Users\MARCINO\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0006\~df394b.tmp!?RestoreInterruptHandler@CAltAsc@@QAEGXZ 0000000066759569 5 bytes JMP 00000001026c1300 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- EOF - GMER 2.1 ----