GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-08 18:26:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD10 rev.01.0 931,51GB Running: pyxuz3cm.exe; Driver: C:\Users\PASTWO~1\AppData\Local\Temp\kxldqpod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031af000 65 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff800031af042 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Windows\system32\services.exe[828] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[156] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[468] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[1064] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\ProgramData\WPM\wprotectmanager.exe[1384] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\ProgramData\WPM\wprotectmanager.exe[1384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\ProgramData\WPM\wprotectmanager.exe[1384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[2148] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files\DellTPad\Apoint.exe[2172] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[2188] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files\Dell\QuickSet\quickset.exe[2256] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files\DellTPad\ApMsgFwd.exe[2404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe[2424] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files\DellTPad\Apntex.exe[2648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\WINDOWS\System32\rundll32.exe[2672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Windows\system32\conhost.exe[2724] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe[2812] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1920] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072881a22 2 bytes [88, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1920] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072881ad0 2 bytes [88, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1920] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072881b08 2 bytes [88, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1920] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072881bba 2 bytes [88, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1920] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072881bda 2 bytes [88, 72] .text c:\postgreSQL\bin\pg_ctl.exe[3176] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3240] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe[3372] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3420] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3532] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text c:\postgreSQL\bin\postgres.exe[3544] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text c:\postgreSQL\bin\postgres.exe[3544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text c:\postgreSQL\bin\postgres.exe[3544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3664] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076498791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3664] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[3856] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[3856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[3856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text c:\postgreSQL\bin\postgres.exe[3368] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text c:\postgreSQL\bin\postgres.exe[3124] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text c:\postgreSQL\bin\postgres.exe[3136] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text c:\postgreSQL\bin\postgres.exe[3144] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[556] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[2396] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[2900] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files (x86)\webget\bin\utilwebget.exe[4484] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\webget\bin\utilwebget.exe[4484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\webget\bin\utilwebget.exe[4484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[4880] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[4948] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[4316] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[5164] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[5676] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[6028] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[6028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[6028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5428] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[6552] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\webget\bin\webget.BrowserAdapter.exe[6932] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\webget\bin\webget.BrowserAdapter.exe[6932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\webget\bin\webget.BrowserAdapter.exe[6932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files (x86)\webget\updatewebget.exe[7252] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\webget\updatewebget.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\webget\updatewebget.exe[7252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[8128] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6004] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[5936] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4048] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files (x86)\Nero\Update\NASvc.exe[6532] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[1620] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[7420] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1892] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007796ef8d 1 byte [62] .text C:\Users\Państwo Hrabia\Desktop\pyxuz3cm.exe[7664] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764ba2fd 1 byte [62] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8006cc02c0 Device \FileSystem\fastfat \Fat fffffa800a73a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{025165E6-E231-4F4D-9A59-801D071BF6A0} fffffa800a1772c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800a4612c0 Device \Driver\cdrom \Device\CdRom0 fffffa800a08c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{C4AB3481-FD70-435C-A10F-FDB085E1738A} fffffa800a1772c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9ED877DF-E5B8-4D06-8D15-C9AC192D9AFA} fffffa800a1772c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800a4612c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6E480EEB-2730-4F71-A789-00370C8F2DA6} fffffa800a1772c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800a4612c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800a1772c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{4B10ECC7-884D-470E-A3A9-EAA2CE444675} fffffa800a1772c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800a4612c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [5540:7320] 000007feed549688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\685d435f5324 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\685d435f5324@e84e84b34d70 0xE4 0xF3 0x38 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\685d435f5324 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\685d435f5324@e84e84b34d70 0xE4 0xF3 0x38 0x23 ... ---- EOF - GMER 2.1 ----