GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-20 12:11:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9640320AS rev.0002SDM1 596,17GB Running: kyjqix9p.exe; Driver: C:\Users\Admin\AppData\Local\Temp\aglyapod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[784] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 00000000770590a0 4 bytes [C3, 00, 00, 00] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 76f6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 76f6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 76fe8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 76f4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 76fe88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76fe8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 76fe87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76fe8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 76f5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 76f668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 76fe9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76fe8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 76fe877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 76f5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 76f6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 76fe8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1524] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76fe8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077411401 2 bytes JMP 76f6b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077411419 2 bytes JMP 76f6b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077411431 2 bytes JMP 76fe8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007741144a 2 bytes CALL 76f4489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774114dd 2 bytes JMP 76fe88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774114f5 2 bytes JMP 76fe8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007741150d 2 bytes JMP 76fe87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077411525 2 bytes JMP 76fe8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007741153d 2 bytes JMP 76f5fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077411555 2 bytes JMP 76f668ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007741156d 2 bytes JMP 76fe9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077411585 2 bytes JMP 76fe8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007741159d 2 bytes JMP 76fe877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774115b5 2 bytes JMP 76f5fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774115cd 2 bytes JMP 76f6b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774116b2 2 bytes JMP 76fe8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1716] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774116bd 2 bytes JMP 76fe8713 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [1716] entry point in ".rdata" section 00000000731071e6 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [676:3724] 0000000075f27587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [676:3728] 000000006e7d8aa6 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [676:3056] 000000007747c557 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [676:4656] 00000000774927c1 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [676:4564] 00000000774927c1 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [676:3332] 00000000774927c1 Thread C:\Windows\System32\svchost.exe [3280:4128] 000007fef05c9688 ---- EOF - GMER 2.1 ----