GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-01 20:37:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST320LM001_HN-M320MBB rev.2AR10001 298,09GB Running: phyr0i1t.exe; Driver: C:\Users\Maciej\AppData\Local\Temp\kwrdrpog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002ff5000 40 bytes [00, 00, 0E, 02, 53, 41, 53, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 569 fffff80002ff5029 95 bytes [97, AC, 07, A0, F8, FF, FF, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076f31401 2 bytes JMP 7656b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076f31419 2 bytes JMP 7656b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076f31431 2 bytes JMP 765e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076f3144a 2 bytes CALL 765448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076f314dd 2 bytes JMP 765e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076f314f5 2 bytes JMP 765e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076f3150d 2 bytes JMP 765e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076f31525 2 bytes JMP 765e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076f3153d 2 bytes JMP 7655fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076f31555 2 bytes JMP 765668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076f3156d 2 bytes JMP 765e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076f31585 2 bytes JMP 765e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076f3159d 2 bytes JMP 765e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076f315b5 2 bytes JMP 7655fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076f315cd 2 bytes JMP 7656b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076f316b2 2 bytes JMP 765e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076f316bd 2 bytes JMP 765e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007762fc80 5 bytes JMP 00000001002a012a .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007762fcb0 5 bytes JMP 00000001002a0bc2 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007762fe14 5 bytes JMP 00000001002a0048 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007762fea8 5 bytes JMP 00000001002a0594 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007762ff24 5 bytes JMP 00000001002a0e68 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077630004 5 bytes JMP 00000001002a0758 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077630038 5 bytes JMP 00000001002a0ca4 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077630068 5 bytes JMP 00000001002a0d86 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077630084 5 bytes JMP 0000000100020050 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread 00000000776302e8 5 bytes JMP 00000001002a020c .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007763079c 5 bytes JMP 00000001002a03d0 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007763088c 5 bytes JMP 00000001002a09fe .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000776308a4 2 bytes JMP 00000001002a091c .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 3 00000000776308a7 2 bytes [C7, 88] .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077630df4 5 bytes JMP 00000001002a0676 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx 00000000776315d4 5 bytes JMP 00000001002a02ee .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077631920 5 bytes JMP 00000001002a083a .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077631be4 5 bytes JMP 00000001002a0ae0 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077631d70 5 bytes JMP 00000001002a04b2 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007650524f 7 bytes JMP 00000001002b02f4 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000765053d0 7 bytes JMP 00000001002b05a0 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076505677 7 bytes JMP 00000001002b03d8 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007650589a 7 bytes JMP 00000001002b0048 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076505a1d 7 bytes JMP 00000001002b0768 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076505c9b 7 bytes JMP 00000001002b04bc .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076505d87 7 bytes JMP 00000001002b0684 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076507240 7 bytes JMP 00000001002b0210 .text C:\Users\Maciej\Downloads\phyr0i1t.exe[2068] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000766b1492 7 bytes JMP 00000001002b084c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00116779452b Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00116779452b (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\Maciej\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\000762.log 0 bytes File C:\Users\Maciej\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\MANIFEST-000761 221 bytes ---- EOF - GMER 2.1 ----