GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-19 18:55:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1 ST500DM002-1BD142 rev.KC48 465,76GB Running: pkzgf9lm.exe; Driver: C:\Users\Slajder\AppData\Local\Temp\kwldraoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800039f2000 45 bytes [4D, 6D, 53, 74, 01, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800039f202f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000124200 7 bytes [40, A3, F3, FF, 01, B5, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000124208 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b7fe14 5 bytes JMP 0000000171f21000 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ba1465 2 bytes [BA, 75] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2556] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ba14bb 2 bytes [BA, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b7fe14 5 bytes JMP 0000000171f21000 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2712] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b7fe14 5 bytes JMP 0000000171f21000 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ba1465 2 bytes [BA, 75] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ba14bb 2 bytes [BA, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [2712] entry point in ".rdata" section 00000000751a71e6 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d1650 5 bytes JMP 0000000077b30018 .text C:\Users\Slajder\AppData\Roaming\eRclient\eRclient.exe[1220] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b7fe14 5 bytes JMP 0000000171f21000 .text C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe[1392] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b7fe14 5 bytes JMP 0000000171f21000 .text C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ba1465 2 bytes [BA, 75] .text C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe[1392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ba14bb 2 bytes [BA, 75] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3456] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b7fe14 5 bytes JMP 0000000171f21000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b7fe14 5 bytes JMP 0000000171f21000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ba1465 2 bytes [BA, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ba14bb 2 bytes [BA, 75] .text ... * 2 .text C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d1650 5 bytes JMP 0000000077b30018 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d1650 5 bytes JMP 0000000077b30018 .text C:\Windows\system32\SearchIndexer.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779d1650 5 bytes JMP 0000000077b30018 .text C:\Program Files (x86)\Java\jre1.8.0_31\bin\javaw.exe[6768] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b7fe14 5 bytes JMP 0000000171f21000 .text C:\Program Files (x86)\Java\jre1.8.0_31\bin\javaw.exe[6768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ba1465 2 bytes [BA, 75] .text C:\Program Files (x86)\Java\jre1.8.0_31\bin\javaw.exe[6768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ba14bb 2 bytes [BA, 75] .text ... * 2 .text C:\Users\Slajder\Downloads\pkzgf9lm.exe[5088] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077b7fe14 5 bytes JMP 0000000171f21000 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[1340] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefa2a2840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1340] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefa2a2720] c:\windows\system32\uxtuneup.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\MBAMWebAccessControl \Device\StreamEitor fffff880083c95ac Device \FileSystem\MBAMSwissArmy \Device\MBAMSwissArmy fffff880083bd104 ---- Processes - GMER 2.1 ---- Library C:\Users\Slajder\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2236] (GG drive menu/GG Network S.A.) 000000005ff80000 Process C:\Users\Slajder\AppData\Roaming\eRclient\eRclient.exe (*** suspicious ***) @ C:\Users\Slajder\AppData\Roaming\eRclient\eRclient.exe [1220] (eRmail Client Application/eRmail Company, s. r. o.)(2014-01-07 12:33:33) 0000000000400000 Library C:\Users\Slajder\AppData\Roaming\eRclient\ssleay32.dll (*** suspicious ***) @ C:\Users\Slajder\AppData\Roaming\eRclient\eRclient.exe [1220] (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/)(2014-01-07 12:33:33) 0000000010000000 Library C:\Users\Slajder\AppData\Roaming\eRclient\LIBEAY32.dll (*** suspicious ***) @ C:\Users\Slajder\AppData\Roaming\eRclient\eRclient.exe [1220] (OpenSSL Shared Library/The OpenSSL Project, http://www.openssl.org/)(2014-01-07 12:33:33) 0000000001f60000 Library C:\Users\Slajder\AppData\Roaming\eRclient\MSVCR71.dll (*** suspicious ***) @ C:\Users\Slajder\AppData\Roaming\eRclient\eRclient.exe [1220] (Microsoft® C Runtime Library/Microsoft Corporation)(2014-01-07 12:33:33) 000000007c340000 ---- EOF - GMER 2.1 ----