GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-03 10:39:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 OCZ-VERT rev.1.5_ 119.24GB Running: g0zlyoxk.exe; Driver: C:\Users\MACIEJ~1\AppData\Local\Temp\pxtdquoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\System32\win32k.sys!W32pServiceTable fffff960000e4400 7 bytes [00, 99, F3, FF, 41, AC, F0] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e4408 3 bytes [00, 07, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\kernel32.dll!RegSetValueExW 0000000076d4a400 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000076d53f20 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\kernel32.dll!RegDeleteValueW 0000000076d6ffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d7f2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076da9a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\kernel32.dll!K32GetModuleInformation 0000000076db94c0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\kernel32.dll!RegSetValueExA 0000000076dd87e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd602db0 5 bytes JMP 000007fffd5f0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6037d0 7 bytes JMP 000007fffd5f00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd608ef0 6 bytes JMP 000007fffd5f0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd61af60 5 bytes JMP 000007fffd5f0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefda589f0 8 bytes JMP 000007fffd5f01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefda5be50 8 bytes JMP 000007fffd5f01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefeaf7490 11 bytes JMP 000007fffd5f0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1468] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeb0bf00 7 bytes JMP 000007fffd5f0260 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\kernel32.dll!RegSetValueExW 0000000076d4a400 7 bytes JMP 000000016fff0228 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000076d53f20 5 bytes JMP 000000016fff0180 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\kernel32.dll!RegDeleteValueW 0000000076d6ffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d7f2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076da9a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\kernel32.dll!K32GetModuleInformation 0000000076db94c0 5 bytes JMP 000000016fff0148 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\kernel32.dll!RegSetValueExA 0000000076dd87e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd602db0 5 bytes JMP 000007fffd5f0180 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6037d0 7 bytes JMP 000007fffd5f00d8 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd608ef0 6 bytes JMP 000007fffd5f0148 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd61af60 5 bytes JMP 000007fffd5f0110 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefda589f0 8 bytes JMP 000007fffd5f01f0 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefda5be50 8 bytes JMP 000007fffd5f01b8 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefeaf7490 11 bytes JMP 000007fffd5f0228 .text C:\Program Files\DellTPad\Apoint.exe[1488] C:\windows\system32\ole32.dll!CoSetProxyBlanket 000007fefeb0bf00 7 bytes JMP 000007fffd5f0260 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\kernel32.dll!RegSetValueExW 0000000076d4a400 7 bytes JMP 000000016fff0228 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000076d53f20 5 bytes JMP 000000016fff0180 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\kernel32.dll!RegDeleteValueW 0000000076d6ffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d7f2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076da9a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\kernel32.dll!K32GetModuleInformation 0000000076db94c0 5 bytes JMP 000000016fff0148 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\kernel32.dll!RegSetValueExA 0000000076dd87e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd602db0 5 bytes JMP 000007fffd5f0180 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6037d0 7 bytes JMP 000007fffd5f00d8 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd608ef0 6 bytes JMP 000007fffd5f0148 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd61af60 5 bytes JMP 000007fffd5f0110 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefda589f0 8 bytes JMP 000007fffd5f01f0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2080] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefda5be50 8 bytes JMP 000007fffd5f01b8 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\kernel32.dll!RegSetValueExW 0000000076d4a400 7 bytes JMP 000000016fff0228 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000076d53f20 5 bytes JMP 000000016fff0180 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\kernel32.dll!RegDeleteValueW 0000000076d6ffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d7f2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076da9a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\kernel32.dll!K32GetModuleInformation 0000000076db94c0 5 bytes JMP 000000016fff0148 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\kernel32.dll!RegSetValueExA 0000000076dd87e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd602db0 5 bytes JMP 000007fffd5f0180 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6037d0 7 bytes JMP 000007fffd5f00d8 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd608ef0 6 bytes JMP 000007fffd5f0148 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd61af60 5 bytes JMP 000007fffd5f0110 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefda589f0 8 bytes JMP 000007fffd5f01f0 .text C:\Program Files\DellTPad\Apntex.exe[2140] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefda5be50 8 bytes JMP 000007fffd5f01b8 .text C:\Program Files\DellTPad\HidFind.exe[2188] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd602db0 5 bytes JMP 000007fffd5f0180 .text C:\Program Files\DellTPad\HidFind.exe[2188] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6037d0 7 bytes JMP 000007fffd5f00d8 .text C:\Program Files\DellTPad\HidFind.exe[2188] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd608ef0 6 bytes JMP 000007fffd5f0148 .text C:\Program Files\DellTPad\HidFind.exe[2188] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd61af60 5 bytes JMP 000007fffd5f0110 .text C:\Program Files\DellTPad\HidFind.exe[2188] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefda589f0 8 bytes JMP 000007fffd5f01f0 .text C:\Program Files\DellTPad\HidFind.exe[2188] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefda5be50 8 bytes JMP 000007fffd5f01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\kernel32.dll!RegSetValueExW 0000000076d4a400 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\kernel32.dll!RegQueryValueExW 0000000076d53f20 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\kernel32.dll!RegDeleteValueW 0000000076d6ffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\kernel32.dll!K32GetMappedFileNameW 0000000076d7f2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000076da9a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\kernel32.dll!K32GetModuleInformation 0000000076db94c0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\kernel32.dll!RegSetValueExA 0000000076dd87e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd602db0 5 bytes JMP 000007fffd5f0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd6037d0 7 bytes JMP 000007fffd5f00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd608ef0 6 bytes JMP 000007fffd5f0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd61af60 5 bytes JMP 000007fffd5f0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefda589f0 8 bytes JMP 000007fffd5f01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2580] C:\windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefda5be50 8 bytes JMP 000007fffd5f01b8 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\kernel32.dll!RegQueryValueExW 00000000764c1f0e 7 bytes JMP 00000001731d4b10 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\kernel32.dll!RegSetValueExW 00000000764c5bad 7 bytes JMP 00000001731d54b0 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\kernel32.dll!RegSetValueExA 00000000764d1409 7 bytes JMP 00000001731d4e50 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\kernel32.dll!RegDeleteValueW 00000000764dea45 7 bytes JMP 00000001731d4b00 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076568e24 7 bytes JMP 00000001731d45c0 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076568ea9 5 bytes JMP 00000001731d4670 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000765691ff 5 bytes JMP 00000001731d45d0 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076641d29 5 bytes JMP 00000001731d4580 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076641dd7 5 bytes JMP 00000001731d4540 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076642ab1 5 bytes JMP 00000001731d4680 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076642d17 5 bytes JMP 00000001731d4360 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007559e96b 5 bytes JMP 00000001731d3b60 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007559eba5 5 bytes JMP 00000001731d3b80 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\USER32.dll!CreateWindowExW 00000000762a8a29 5 bytes JMP 00000001731d3a40 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesA 00000000762b4572 5 bytes JMP 00000001731d42e0 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\USER32.dll!EnumDisplayDevicesW 00000000762ce567 5 bytes JMP 00000001731d4350 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000762f07d7 5 bytes JMP 00000001731d3850 .text H:\instalki\RATUNKOWE\g0zlyoxk.exe[3932] C:\windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076307a5c 5 bytes JMP 00000001731d42d0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015007f6c3b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289569b6c Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\bc7737048afc Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x27 0xE3 0x30 0x10 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015007f6c3b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289569b6c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\bc7737048afc (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x27 0xE3 0x30 0x10 ... ---- EOF - GMER 2.1 ----