GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-08-18 14:08:21
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\0000002f ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB
Running: sbf7g9dq.exe; Driver: C:\Users\Beata\AppData\Local\Temp\pwlyrkog.sys


---- User code sections - GMER 2.1 ----

.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort      00007ffb27931280 5 bytes JMP 00007ffba7a60460
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject               00007ffb279312d0 5 bytes JMP 00007ffba7a60450
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess               00007ffb27931430 5 bytes JMP 00007ffba7a60370
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx    00007ffb27931480 5 bytes JMP 00007ffba7a60470
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess          00007ffb27931490 5 bytes JMP 00007ffba7a603e0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection               00007ffb27931540 5 bytes JMP 00007ffba7a60320
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory        00007ffb27931570 5 bytes JMP 00007ffba7a603b0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject           00007ffb27931590 5 bytes JMP 00007ffba7a60390
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent                 00007ffb279315d0 5 bytes JMP 00007ffba7a602e0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent               00007ffb27931650 5 bytes JMP 00007ffba7a602d0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection             00007ffb27931670 5 bytes JMP 00007ffba7a60310
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread              00007ffb279316b0 5 bytes JMP 00007ffba7a603c0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread           00007ffb27931700 5 bytes JMP 00007ffba7a603f0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry              00007ffb27931860 5 bytes JMP 00007ffba7a60230
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort   00007ffb27931a50 5 bytes JMP 00007ffba7a60480
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject  00007ffb27931a80 5 bytes JMP 00007ffba7a603a0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair           00007ffb27931ba0 5 bytes JMP 00007ffba7a602f0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion        00007ffb27931bc0 1 byte JMP 00007ffba7a60350
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2    00007ffb27931bc2 3 bytes {JMP 0xffffffff8012e790}
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant              00007ffb27931c30 5 bytes JMP 00007ffba7a60290
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore           00007ffb27931cc0 5 bytes JMP 00007ffba7a602b0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx            00007ffb27931ce0 5 bytes JMP 00007ffba7a603d0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer               00007ffb27931cf0 5 bytes JMP 00007ffba7a60330
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess        00007ffb27931da0 5 bytes JMP 00007ffba7a60410
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry           00007ffb27931dd0 5 bytes JMP 00007ffba7a60240
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver                00007ffb279320f0 5 bytes JMP 00007ffba7a601e0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry           00007ffb279321b0 5 bytes JMP 00007ffba7a60250
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey           00007ffb279321e0 5 bytes JMP 00007ffba7a60490
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys  00007ffb279321f0 5 bytes JMP 00007ffba7a604a0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair             00007ffb27932220 5 bytes JMP 00007ffba7a60300
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion          00007ffb27932230 5 bytes JMP 00007ffba7a60360
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant                00007ffb27932290 5 bytes JMP 00007ffba7a602a0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore             00007ffb279322e0 5 bytes JMP 00007ffba7a602c0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread                00007ffb27932310 5 bytes JMP 00007ffba7a60380
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer                 00007ffb27932320 5 bytes JMP 00007ffba7a60340
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx          00007ffb27932630 5 bytes JMP 00007ffba7a60440
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder         00007ffb27932830 5 bytes JMP 00007ffba7a60260
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions            00007ffb27932840 5 bytes JMP 00007ffba7a60270
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread          00007ffb27932860 5 bytes JMP 00007ffba7a60400
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation      00007ffb27932a40 5 bytes JMP 00007ffba7a601f0
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState       00007ffb27932a50 5 bytes JMP 00007ffba7a60210
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem            00007ffb27932ae0 5 bytes JMP 00007ffba7a60200
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess            00007ffb27932b50 5 bytes JMP 00007ffba7a60420
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread             00007ffb27932b60 5 bytes JMP 00007ffba7a60430
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl        00007ffb27932b70 5 bytes JMP 00007ffba7a60220
.text   C:\WINDOWS\system32\AUDIODG.EXE[6012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl                00007ffb27932c80 5 bytes JMP 00007ffba7a60280

---- Threads - GMER 2.1 ----

Thread  C:\WINDOWS\system32\csrss.exe [652:664]                                                         fffff960008b62d0

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                                                           unknown MBR code

---- EOF - GMER 2.1 ----