GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-13 19:56:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 PLEXTOR_PX-128M5S rev.1.05 119,24GB Running: gmer.exe; Driver: C:\Users\Krzycho\AppData\Local\Temp\pwliafob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076b11401 2 bytes JMP 7706b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076b11419 2 bytes JMP 7706b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076b11431 2 bytes JMP 770e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076b1144a 2 bytes CALL 770448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076b114dd 2 bytes JMP 770e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076b114f5 2 bytes JMP 770e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076b1150d 2 bytes JMP 770e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076b11525 2 bytes JMP 770e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076b1153d 2 bytes JMP 7705fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076b11555 2 bytes JMP 770668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076b1156d 2 bytes JMP 770e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076b11585 2 bytes JMP 770e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076b1159d 2 bytes JMP 770e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076b115b5 2 bytes JMP 7705fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076b115cd 2 bytes JMP 7706b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076b116b2 2 bytes JMP 770e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076b116bd 2 bytes JMP 770e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076b11401 2 bytes JMP 7706b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076b11419 2 bytes JMP 7706b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076b11431 2 bytes JMP 770e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076b1144a 2 bytes CALL 770448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076b114dd 2 bytes JMP 770e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076b114f5 2 bytes JMP 770e8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076b1150d 2 bytes JMP 770e8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076b11525 2 bytes JMP 770e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076b1153d 2 bytes JMP 7705fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076b11555 2 bytes JMP 770668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076b1156d 2 bytes JMP 770e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076b11585 2 bytes JMP 770e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076b1159d 2 bytes JMP 770e865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076b115b5 2 bytes JMP 7705fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076b115cd 2 bytes JMP 7706b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076b116b2 2 bytes JMP 770e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MSI\Live Update\Live Update.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076b116bd 2 bytes JMP 770e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[2852] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter + 1 00000000777c9041 11 bytes {MOV EAX, 0xffffffffdccf52bc; INC BYTE [RDI]; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[2852] C:\Windows\system32\ole32.dll!OleLoadFromStream 000007feff4075f0 5 bytes JMP 000007ffff2a00d8 .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[2852] C:\Windows\system32\OLEAUT32.dll!VariantClear 000007fefdee1180 5 bytes JMP 000007feff2a01b8 .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[2852] C:\Windows\system32\OLEAUT32.dll!SysFreeString 000007fefdee1320 7 bytes JMP 000007feff2a0148 .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[2852] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 000007fefdee4470 6 bytes JMP 000007feff2a0110 .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[2852] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 000007fefdee6720 10 bytes JMP 000007feff2a0180 ---- Processes - GMER 2.1 ---- Process C:\Users\Krzycho\AppData\Local\Temp\ariana.exe (*** suspicious ***) @ C:\Users\Krzycho\AppData\Local\Temp\ariana.exe [3812](2015-04-08 11 0000000001130000 Library C:\Users\Krzycho\AppData\Local\Temp\ariana.exe (*** suspicious ***) @ C:\Users\Krzycho\AppData\Local\Temp\ariana.exe [3812](2015-04-08 11 0000000000400000 Process C:\Users\Krzycho\AppData\Local\Temp\12951.exe (*** suspicious ***) @ C:\Users\Krzycho\AppData\Local\Temp\12951.exe [3532] (Google/Google Inc.)(2015-04-13 10:56:17) 0000000000c40000 Process C:\Users\Krzycho\AppData\Local\Temp\12951.exe (*** suspicious ***) @ C:\Users\Krzycho\AppData\Local\Temp\12951.exe [2480] (Google/Google Inc.)(2015-04-13 10:56:17) 0000000000c40000 Library C:\Users\Krzycho\AppData\Local\Temp\12951.exe (*** suspicious ***) @ C:\Users\Krzycho\AppData\Local\Temp\12951.exe [2480] (Google/Google Inc.)(2015-04-13 10:56:17) 0000000000400000 Process C:\Users\Krzycho\AppData\Local\Temp\peverify.exe (*** suspicious ***) @ C:\Users\Krzycho\AppData\Local\Temp\peverify.exe [5344] (Google/Google Inc.)(2015-04-13 10:56:27) 0000000000260000 Process C:\Users\Krzycho\AppData\Local\Temp\chrome.exe (*** suspicious ***) @ C:\Users\Krzycho\AppData\Local\Temp\chrome.exe [6780] (Google/Google Inc.)(2015-04-13 10:56:25) 0000000000140000 Process C:\Users\Krzycho\AppData\Local\Temp\peverify.exe (*** suspicious ***) @ C:\Users\Krzycho\AppData\Local\Temp\peverify.exe [6248] (Google/Google Inc.)(2015-04-13 10:56:27) 0000000000260000 Process C:\Users\Krzycho\AppData\Local\Temp\Rar$EXa0.443\gmer.exe (*** suspicious ***) @ C:\Users\Krzycho\AppData\Local\Temp\Rar$EXa0.443\gmer.exe [2364](2015-04-13 17:41:39) 0000000000400000 ---- Files - GMER 2.1 ---- File C:\Users\Krzycho\AppData\Local\Temp\tmp9A04.tmp 6701624 bytes ---- EOF - GMER 2.1 ----