GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-22 15:47:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 PLEXTOR_PX-128M5S rev.1.05 119,24GB Running: gmer.exe; Driver: C:\Users\Krzycho\AppData\Local\Temp\pwliafob.sys ---- User code sections - GMER 2.1 ---- .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17 0000000075311401 2 bytes JMP 76dfb21b C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17 0000000075311419 2 bytes JMP 76dfb346 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17 0000000075311431 2 bytes JMP 76e78ea9 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42 000000007531144a 2 bytes CALL 76dd48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17 00000000753114dd 2 bytes JMP 76e787a2 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17 00000000753114f5 2 bytes JMP 76e78978 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17 000000007531150d 2 bytes JMP 76e78698 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17 0000000075311525 2 bytes JMP 76e78a62 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17 000000007531153d 2 bytes JMP 76defca8 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17 0000000075311555 2 bytes JMP 76df68ef C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17 000000007531156d 2 bytes JMP 76e78f61 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17 0000000075311585 2 bytes JMP 76e78ac2 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17 000000007531159d 2 bytes JMP 76e7865c C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17 00000000753115b5 2 bytes JMP 76defd41 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17 00000000753115cd 2 bytes JMP 76dfb2dc C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20 00000000753116b2 2 bytes JMP 76e78e24 C:\Windows\syswow64\kernel32.dll .text D:\PROGRAMY\hamachi-2-ui.exe[2900] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31 00000000753116bd 2 bytes JMP 76e785f1 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Process C:\Users\Krzycho\AppData\Local\Temp\Rar$EXa0.210\gmer.exe (*** suspicious ***) @ C:\Users\Krzycho\AppData\Local\Temp\Rar$EXa0.210\gmer.exe [3892](2015-09-22 13:35:52) 0000000000400000 ---- EOF - GMER 2.1 ----