GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-30 13:05:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000056 WDC_____ rev.01.0 931,51GB Running: 0v2u8491.exe; Driver: C:\Users\PC\AppData\Local\Temp\pxldapoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 00000001745c1460 .text C:\Windows\SysWOW64\PnkBstrA.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000001745c1120 .text C:\Windows\SysWOW64\PnkBstrA.exe[3856] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bbb 5 bytes JMP 00000001745c1260 .text C:\Windows\SysWOW64\PnkBstrA.exe[3856] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074e31a22 2 bytes [E3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3856] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074e31ad0 2 bytes [E3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3856] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074e31b08 2 bytes [E3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3856] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074e31bba 2 bytes [E3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3856] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074e31bda 2 bytes [E3, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b51465 2 bytes [B5, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b514bb 2 bytes [B5, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 0000000077660128 .text C:\Windows\system32\svchost.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000077660018 .text C:\Windows\system32\svchost.exe[3936] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773adb80 5 bytes JMP 00000000776600a0 .text C:\Windows\system32\svchost.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 0000000077660128 .text C:\Windows\system32\svchost.exe[3988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000077660018 .text C:\Windows\system32\svchost.exe[3988] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773adb80 5 bytes JMP 00000000776600a0 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 0000000077660128 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000077660018 .text C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe[1128] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 00000000773adb80 5 bytes JMP 00000000776600a0 .text C:\Windows\SysWOW64\ctfmon.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 00000001745c1460 .text C:\Windows\SysWOW64\ctfmon.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000001745c1120 .text C:\Windows\SysWOW64\ctfmon.exe[3808] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bbb 5 bytes JMP 00000001745c1260 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 00000001745c1460 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4984] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000001745c1120 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4984] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000075db3bbb 5 bytes JMP 00000001745c1260 .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 0000000077660128 .text C:\Windows\system32\SearchIndexer.exe[2972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000077660018 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 0000000077660128 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000077660018 .text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773adb80 5 bytes JMP 00000000776600a0 .text C:\Windows\system32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077501530 5 bytes JMP 0000000077660128 .text C:\Windows\system32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077501650 5 bytes JMP 0000000077660018 .text C:\Windows\system32\svchost.exe[3032] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000773adb80 5 bytes JMP 00000000776600a0 .text C:\Users\PC\Desktop\0v2u8491.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000776afc50 5 bytes JMP 00000001745c1460 .text C:\Users\PC\Desktop\0v2u8491.exe[1036] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776afe14 5 bytes JMP 00000001745c1120 .text C:\Users\PC\Desktop\0v2u8491.exe[1036] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bbb 5 bytes JMP 00000001745c1260 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2592:2764] 000007fef4c5bc60 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2632:5888] 000007fef682f5f8 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2632:5896] 000007fef4c5bc60 ---- EOF - GMER 2.1 ----