GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-02 16:18:43 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f rev. 0,00MB Running: 0192zn5n.exe; Driver: C:\Users\MEDIAM~1\AppData\Local\Temp\pxldypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffba6a84b14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffba6a84f3c 8 bytes [60, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffba6a85216 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffba6a8540f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffba6a857af 8 bytes [30, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffba6a85805 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffba6a859b4 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffba6a85f51 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffba6b00ef0 8 bytes {JMP QWORD [RIP-0x7b747]} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffba6b01070 8 bytes {JMP QWORD [RIP-0x7b871]} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffba6b010a0 8 bytes {JMP QWORD [RIP-0x7c16a]} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffba6b011c0 8 bytes {JMP QWORD [RIP-0x7bdb7]} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffba6b01270 8 bytes {JMP QWORD [RIP-0x7c060]} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffba6b01930 8 bytes {JMP QWORD [RIP-0x7b9e5]} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffba6b01c30 8 bytes {JMP QWORD [RIP-0x7bf7e]} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffba6b024b0 8 bytes {JMP QWORD [RIP-0x7cb02]} .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\system32\wow64cpu.dll!CpuSetContext + 438 00000000778313f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\system32\wow64cpu.dll!CpuGetContext + 387 0000000077831583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077831621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077831674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000778316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000778316e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\FilesFrog Update Checker\update_checker.exe[5084] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077831727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffba6a84b14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffba6a84f3c 8 bytes [60, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffba6a85216 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffba6a8540f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffba6a857af 8 bytes [30, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffba6a85805 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffba6a859b4 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffba6a85f51 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffba6b00ef0 8 bytes {JMP QWORD [RIP-0x7b747]} .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffba6b01070 8 bytes {JMP QWORD [RIP-0x7b871]} .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffba6b010a0 8 bytes {JMP QWORD [RIP-0x7c16a]} .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffba6b011c0 8 bytes {JMP QWORD [RIP-0x7bdb7]} .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffba6b01270 8 bytes {JMP QWORD [RIP-0x7c060]} .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffba6b01930 8 bytes {JMP QWORD [RIP-0x7b9e5]} .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffba6b01c30 8 bytes {JMP QWORD [RIP-0x7bf7e]} .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffba6b024b0 8 bytes {JMP QWORD [RIP-0x7cb02]} .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\system32\wow64cpu.dll!CpuSetContext + 438 00000000778313f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\system32\wow64cpu.dll!CpuGetContext + 387 0000000077831583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077831621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077831674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000778316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000778316e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe[4796] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077831727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ffba6a84b14 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ffba6a84f3c 8 bytes [60, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ffba6a85216 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ffba6a8540f 8 bytes {JMP 0xffffffffffffffee} .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ffba6a857af 8 bytes [30, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ffba6a85805 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ffba6a859b4 8 bytes [10, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ffba6a85f51 8 bytes {JMP 0xffffffffffffff9e} .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffba6b00ef0 8 bytes {JMP QWORD [RIP-0x7b747]} .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffba6b01070 8 bytes {JMP QWORD [RIP-0x7b871]} .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffba6b010a0 8 bytes {JMP QWORD [RIP-0x7c16a]} .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffba6b011c0 8 bytes {JMP QWORD [RIP-0x7bdb7]} .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffba6b01270 8 bytes {JMP QWORD [RIP-0x7c060]} .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffba6b01930 8 bytes {JMP QWORD [RIP-0x7b9e5]} .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffba6b01c30 8 bytes {JMP QWORD [RIP-0x7bf7e]} .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffba6b024b0 8 bytes {JMP QWORD [RIP-0x7cb02]} .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\system32\wow64cpu.dll!CpuSetContext + 438 00000000778313f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\system32\wow64cpu.dll!CpuGetContext + 387 0000000077831583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077831621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077831674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000778316d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000778316e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe[3340] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077831727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\explorer.exe[3148] @ C:\WINDOWS\system32\RPCRT4.dll[ntdll.dll!NtAlpcConnectPortEx] [63414350] C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x64\prremote.dll ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [664:2284] fffff960008642d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [5056:364] 0000000000b9550f ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----