GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-28 21:20:31 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003b ST320LT020-9YG142 rev.0002HPM1 298,09GB Running: 4hg8ejqe.exe; Driver: C:\Users\grzegorz\AppData\Local\Temp\pxloipow.sys ---- User code sections - GMER 2.1 ---- ? C:\Windows\SYSTEM32\BsHelpCSps.dll [1988] entry point in ".data" section 0000000010005055 .text C:\Program Files (x86)\AVG PC TuneUp 2014\TuneUpUtilitiesService64.exe[2540] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fcd10e177a 4 bytes [0E, D1, FC, 07] .text C:\Program Files (x86)\AVG PC TuneUp 2014\TuneUpUtilitiesService64.exe[2540] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fcd10e1782 4 bytes [0E, D1, FC, 07] .text C:\Program Files (x86)\AVG PC TuneUp 2014\TuneUpUtilitiesApp64.exe[3108] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fcd10e177a 4 bytes [0E, D1, FC, 07] .text C:\Program Files (x86)\AVG PC TuneUp 2014\TuneUpUtilitiesApp64.exe[3108] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fcd10e1782 4 bytes [0E, D1, FC, 07] .text C:\Windows\System32\igfxpers.exe[3408] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fcd10e177a 4 bytes [0E, D1, FC, 07] .text C:\Windows\System32\igfxpers.exe[3408] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fcd10e1782 4 bytes [0E, D1, FC, 07] ? C:\Windows\SYSTEM32\BsHelpCSps.dll [3812] entry point in ".data" section 0000000003eb5055 ? C:\Windows\SYSTEM32\BlueSoleilCSps.dll [3812] entry point in ".rdata" section 0000000003ee4085 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[3796] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fcc1e91532 4 bytes JMP 000007fcc1f111f8 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[3796] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fcc1e9153a 4 bytes JMP 000007fcc1f11200 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[3796] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fcc1e9165a 4 bytes JMP 000007fcc1f11320 .text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[4552] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fcd10e177a 4 bytes [0E, D1, FC, 07] .text \\?\C:\Windows\system32\wbem\WMIADAP.EXE[4552] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fcd10e1782 4 bytes [0E, D1, FC, 07] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!_initterm] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!_XcptFilter] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!??2@YAPEAX_K@Z] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!wcscpy_s] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!_lock] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!memset] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!??3@YAXPEAX@Z] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!realloc] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!_errno] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!_onexit] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!__dllonexit] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!wcscat_s] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!memcpy_s] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!_purecall] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!??_V@YAXPEAX@Z] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!malloc] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!free] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!??_U@YAPEAX_K@Z] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!wcsncpy_s] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!_unlock] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!_CxxThrowException] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[msvcrt.dll!__CxxFrameHandler3] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[KERNEL32.dll!lstrcmpiW] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\ndiscapCfg.dll[USER32.dll!UnregisterClassA] [0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!__CxxFrameHandler3] [fc73b4940468d49] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!memcpy] [287d8bffffff3186] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!malloc] [4cfd03482c7d8b44] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!free] [3b4940478d48fd03] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!realloc] [48000000a2870fc7] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z] [bd0001001a1d8d] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!??0exception@@QEAA@AEBV0@@Z] [8b49d78b488004d0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!??1exception@@UEAA@XZ] [8b4c000036bae8cd] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!?what@exception@@UEBAPEBDXZ] [8b485774c08548f0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!_callnewh] [cb3b480000fffb0d] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!_CxxThrowException] [2672051979802c74] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!_XcptFilter] [478a2074041c41f6] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!_amsg_exit] [498b48184e8b4d3c] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!_initterm] [ffff9bf8058d4c10] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!_lock] [8b41ffffed8ae820] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!_unlock] [44067401e0834446] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!__dllonexit] [74c08510743c6738] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!_onexit] [4508743c6738440e] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [44f58b02eb446689] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!_purecall] [10478b1374106739] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[msvcrt.dll!memset] [4940478d48f80348] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[ADVAPI32.dll!RegQueryValueExW] [8d4c2124548d4110] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[ADVAPI32.dll!RegQueryInfoKeyW] [db42e8ffff9dd305] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[ADVAPI32.dll!RegDeleteValueW] [be41585d8b49ffff] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[ADVAPI32.dll!RegDeleteKeyW] [249c89488004d000] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[ADVAPI32.dll!RegCloseKey] [605d3b4900000080] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[ADVAPI32.dll!RegCreateKeyExW] [8b4800000250840f] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[ADVAPI32.dll!RegOpenKeyExW] [a4a139440b] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[ADVAPI32.dll!RegSetValueExW] [8d4c00000224840f] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[ADVAPI32.dll!RegEnumKeyExW] [7824548d48702444] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!Sleep] [850fc085f08b7824] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!RtlCaptureContext] [246538440000021c] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!RtlLookupFunctionEntry] [8b48000002c0840f] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!RtlVirtualUnwind] [cf3b48000101530d] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!UnhandledExceptionFilter] [2a72051979803074] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [8b4c2474041c41f6] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!TerminateProcess] [23508d10498b480b] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!QueryPerformanceCounter] [4c00000080898b4d] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!GetCurrentProcessId] [dde8ffff9d4a058d] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [11e0d8b48ffffda] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!GetTickCount] [8b442c758b440001] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!DisableThreadLibraryCalls] [34cf5034c70247c] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!lstrcmpiW] [4a3b4c0e8b4d108b] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!lstrcpynW] [4c084e8b4d0f7508] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!LoadLibraryExW] [4908c083480a74d2] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!GetLastError] [423b49d27538423b] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!FindResourceW] [3eb388b48057438] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!LoadResource] [840fff8548fc8b49] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!SizeofResource] [b5058d48000001d9] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!FreeLibrary] [3474c83b48000100] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!MultiByteToWideChar] [41f62e7205197980] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!GetCurrentThreadId] [38468a412874041c] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!GetModuleFileNameW] [10498b48184f8b4c] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!GetModuleHandleW] [baffff9cb1058d4c] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!GetProcAddress] [2024448800000024] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!LoadLibraryW] [d8b48ffffee43e8] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!GetCurrentProcess] [8344478b0001007c] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[KERNEL32.dll!HeapDestroy] [386638450a7401e0] IAT C:\Windows\system32\svchost.exe[936] @ C:\Windows\System32\brdgcfg.dll[USER32.dll!CharNextW] [7410663945000100] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [588:612] fffff960008aa5e8 Thread C:\Windows\SYSTEM32\ntdll.dll [4056:4060] 000000000040ee72 Thread C:\Windows\SYSTEM32\ntdll.dll [4056:1592] 0000000000402ff0 Thread C:\Windows\SYSTEM32\ntdll.dll [4056:1384] 00000000703397fe Thread C:\Windows\SYSTEM32\ntdll.dll [4056:1204] 000000000040c3b0 Thread C:\Windows\SYSTEM32\ntdll.dll [2248:3056] 0000000001131c24 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1812] (GG drive overlay/GG Network S.A.)(2013-02-09 19:36:33) 000000005c080000 Library C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20131002.001\UMEngx86.dll (*** suspicious ***) @ C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe [1988] (FILE NOT FOUND) 0000000074d30000 Library C:\Users\grzegorz\AppData\Roaming\newnext.me\nengine.dll (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [3668] (NewNext Helper Engine/NewNextDotMe)(2014-01-15 18:46:15) 00000000704a0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----