GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-31 06:49:56 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-5 Hitachi_HDT721032SLA360 rev.ST2OA3AA 297,96GB Running: pry8geh4.exe; Driver: C:\Users\Jacenty\AppData\Local\Temp\agtirfow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c51465 2 bytes [C5, 75] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c514bb 2 bytes [C5, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2752] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000071881a22 2 bytes [88, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2752] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000071881ad0 2 bytes [88, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2752] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000071881b08 2 bytes [88, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2752] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000071881bba 2 bytes [88, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2752] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000071881bda 2 bytes [88, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c51465 2 bytes [C5, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2752] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c514bb 2 bytes [C5, 75] .text ... * 2 .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c51465 2 bytes [C5, 75] .text C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c514bb 2 bytes [C5, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c51465 2 bytes [C5, 75] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c514bb 2 bytes [C5, 75] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2624] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2584] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3260] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe[3352] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc40 5 bytes JMP 00000001733f1920 .text C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe[3352] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe04 5 bytes JMP 00000001733f15d0 .text C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe[3352] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b63bf3 5 bytes JMP 00000001733f1700 .text C:\Windows\system32\viakaraokesrv.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Windows\system32\viakaraokesrv.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Windows\system32\viakaraokesrv.exe[3396] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Users\Jacenty\AppData\Roaming\Spotify\SpotifyWebHelper.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc40 5 bytes JMP 00000001733f1920 .text C:\Users\Jacenty\AppData\Roaming\Spotify\SpotifyWebHelper.exe[3520] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe04 5 bytes JMP 00000001733f15d0 .text C:\Users\Jacenty\AppData\Roaming\Spotify\SpotifyWebHelper.exe[3520] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b63bf3 5 bytes JMP 00000001733f1700 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc40 5 bytes JMP 00000001733f1920 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe04 5 bytes JMP 00000001733f15d0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b63bf3 5 bytes JMP 00000001733f1700 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c51465 2 bytes [C5, 75] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c514bb 2 bytes [C5, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc40 5 bytes JMP 00000001733f1920 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3608] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe04 5 bytes JMP 00000001733f15d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3608] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b63bf3 5 bytes JMP 00000001733f1700 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc40 5 bytes JMP 00000001733f1920 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[3624] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe04 5 bytes JMP 00000001733f15d0 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[3624] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW 0000000075b63bf3 5 bytes JMP 00000001733f1700 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c51465 2 bytes [C5, 75] .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[3624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c514bb 2 bytes [C5, 75] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3688] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe[3932] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Windows\system32\SearchIndexer.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Windows\system32\SearchIndexer.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Windows\system32\SearchIndexer.exe[4008] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Windows\system32\svchost.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Windows\system32\svchost.exe[3172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Windows\system32\svchost.exe[3172] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Windows\SysWOW64\ctfmon.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc40 5 bytes JMP 00000001733f1920 .text C:\Windows\SysWOW64\ctfmon.exe[4432] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe04 5 bytes JMP 00000001733f15d0 .text C:\Windows\SysWOW64\ctfmon.exe[4432] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b63bf3 5 bytes JMP 00000001733f1700 .text C:\Windows\System32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Windows\System32\svchost.exe[2520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Windows\System32\svchost.exe[2520] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Windows\system32\DllHost.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Windows\system32\DllHost.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Windows\system32\DllHost.exe[5640] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Windows\system32\taskmgr.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077931590 5 bytes JMP 0000000077a90128 .text C:\Windows\system32\taskmgr.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779316b0 5 bytes JMP 0000000077a90018 .text C:\Windows\system32\taskmgr.exe[1820] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000777de7b0 5 bytes JMP 0000000077a900a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077adfc40 5 bytes JMP 00000001733f1920 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077adfe04 5 bytes JMP 00000001733f15d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[5792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075b63bf3 5 bytes JMP 00000001733f1700 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[5792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c51465 2 bytes [C5, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[5792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c514bb 2 bytes [C5, 75] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef937741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef9375f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef9375674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef9375e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef9377f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef9376a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef9376ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef9377b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef9377ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef93778b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef9374fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef9375d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3436] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef9377584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5152:5380] 000007fefaaa2ab8 ---- EOF - GMER 2.1 ----