GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-01 14:12:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000030 WDC_____ rev.01.0 931,51GB Running: 0v2u8491.exe; Driver: C:\Users\PC\AppData\Local\Temp\pxldapoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c51465 2 bytes [C5, 74] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c514bb 2 bytes [C5, 74] .text ... * 2 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[3660] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076e1db80 5 bytes JMP 00000000770d00a0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007711fc50 5 bytes JMP 00000001749f1460 .text C:\Windows\SysWOW64\PnkBstrA.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007711fe14 5 bytes JMP 00000001749f1120 .text C:\Windows\SysWOW64\PnkBstrA.exe[3864] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843bbb 5 bytes JMP 00000001749f1260 .text C:\Windows\SysWOW64\PnkBstrA.exe[3864] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000747c1a22 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3864] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000747c1ad0 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3864] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000747c1b08 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3864] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000747c1bba 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3864] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000747c1bda 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c51465 2 bytes [C5, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c514bb 2 bytes [C5, 74] .text ... * 2 .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3992] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007711fc50 5 bytes JMP 00000001749f1460 .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3992] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007711fe14 5 bytes JMP 00000001749f1120 .text C:\MSI\Smart Utilities\SuperRAIDSvc.exe[3992] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076843bbb 5 bytes JMP 00000001749f1260 .text C:\Windows\system32\svchost.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\system32\svchost.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\system32\svchost.exe[3792] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e1db80 5 bytes JMP 00000000770d00a0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe[4184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe[4184] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076e1db80 5 bytes JMP 00000000770d00a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007711fc50 5 bytes JMP 00000001749f1460 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4588] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007711fe14 5 bytes JMP 00000001749f1120 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4588] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076843bbb 5 bytes JMP 00000001749f1260 .text C:\Windows\system32\SearchIndexer.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\system32\SearchIndexer.exe[4736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e1db80 5 bytes JMP 00000000770d00a0 .text C:\Windows\system32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\system32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\system32\svchost.exe[4360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e1db80 5 bytes JMP 00000000770d00a0 .text C:\Windows\system32\svchost.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\system32\svchost.exe[3872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\system32\svchost.exe[3872] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e1db80 5 bytes JMP 00000000770d00a0 .text C:\Windows\System32\svchost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\System32\svchost.exe[2700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\System32\svchost.exe[2700] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e1db80 5 bytes JMP 00000000770d00a0 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007711fc50 5 bytes JMP 00000001749f1460 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007711fe14 5 bytes JMP 00000001749f1120 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3240] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076843bbb 5 bytes JMP 00000001749f1260 .text C:\Windows\system32\wbem\wmiprvse.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\system32\wbem\wmiprvse.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\system32\wbem\wmiprvse.exe[4316] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e1db80 5 bytes JMP 00000000770d00a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007711fc50 5 bytes JMP 00000001749f1460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[4864] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007711fe14 5 bytes JMP 00000001749f1120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[4864] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843bbb 5 bytes JMP 00000001749f1260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5016] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007711fc50 5 bytes JMP 00000001749f1460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5016] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007711fe14 5 bytes JMP 00000001749f1120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5016] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843bbb 5 bytes JMP 00000001749f1260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007711fc50 5 bytes JMP 00000001749f1460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3088] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007711fe14 5 bytes JMP 00000001749f1120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3088] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843bbb 5 bytes JMP 00000001749f1260 .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[5264] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007711fc50 5 bytes JMP 00000001749f1460 .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[5264] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007711fe14 5 bytes JMP 00000001749f1120 .text C:\Program Files (x86)\Intel\Extreme Tuning Utility\XtuService.exe[5264] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000076843bbb 5 bytes JMP 00000001749f1260 .text C:\Windows\system32\wbem\wmiprvse.exe[6132] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\system32\wbem\wmiprvse.exe[6132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\system32\wbem\wmiprvse.exe[6132] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e1db80 5 bytes JMP 00000000770d00a0 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007711fc50 5 bytes JMP 00000001749f1460 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007711fe14 5 bytes JMP 00000001749f1120 .text C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe[3524] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843bbb 5 bytes JMP 00000001749f1260 .text C:\Windows\system32\Dwm.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f71530 5 bytes JMP 00000000770d0128 .text C:\Windows\system32\Dwm.exe[5076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f71650 5 bytes JMP 00000000770d0018 .text C:\Windows\system32\Dwm.exe[5076] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076e1db80 5 bytes JMP 00000000770d00a0 .text C:\Users\PC\Desktop\0v2u8491.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007711fc50 5 bytes JMP 00000001749f1460 .text C:\Users\PC\Desktop\0v2u8491.exe[3768] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007711fe14 5 bytes JMP 00000001749f1120 .text C:\Users\PC\Desktop\0v2u8491.exe[3768] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843bbb 5 bytes JMP 00000001749f1260 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2616:2896] 000007fef3cf4094 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2616:2904] 000007fef3cf4094 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2616:2908] 000007fef18dbc60 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2624:3216] 000007fef3cf4094 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2624:3020] 000007fef33bf5f8 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2624:2368] 000007fef3cf4094 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2624:2364] 000007fef18dbc60 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2624:3340] 000007fef3cf4094 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----