GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-08 08:52:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD10EZEX-00BN5A0 rev.01.01A01 931,51GB Running: csm9osif.exe; Driver: C:\Users\Cypisek\AppData\Local\Temp\pwldypow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[448] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000733217fa 2 bytes CALL 760611a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[448] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073321860 2 bytes CALL 760611a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[448] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073321942 2 bytes JMP 75897089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[448] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007332194d 2 bytes JMP 7589cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2116] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c12ab1 5 bytes JMP 0000000000291179 .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075b61401 2 bytes JMP 7608b20b C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075b61419 2 bytes JMP 7608b336 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075b61431 2 bytes JMP 76108f39 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075b6144a 2 bytes CALL 76064885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075b614dd 2 bytes JMP 76108832 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075b614f5 2 bytes JMP 76108a08 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075b6150d 2 bytes JMP 76108728 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075b61525 2 bytes JMP 76108af2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075b6153d 2 bytes JMP 7607fc98 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075b61555 2 bytes JMP 760868df C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075b6156d 2 bytes JMP 76108ff1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075b61585 2 bytes JMP 76108b52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075b6159d 2 bytes JMP 761086ec C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075b615b5 2 bytes JMP 7607fd31 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075b615cd 2 bytes JMP 7608b2cc C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075b616b2 2 bytes JMP 76108eb4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Cypisek\AppData\Local\FluxSoftware\Flux\flux.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075b616bd 2 bytes JMP 76108681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17 0000000075b61401 2 bytes JMP 7608b20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17 0000000075b61419 2 bytes JMP 7608b336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17 0000000075b61431 2 bytes JMP 76108f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42 0000000075b6144a 2 bytes CALL 76064885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17 0000000075b614dd 2 bytes JMP 76108832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17 0000000075b614f5 2 bytes JMP 76108a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17 0000000075b6150d 2 bytes JMP 76108728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17 0000000075b61525 2 bytes JMP 76108af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17 0000000075b6153d 2 bytes JMP 7607fc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17 0000000075b61555 2 bytes JMP 760868df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17 0000000075b6156d 2 bytes JMP 76108ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17 0000000075b61585 2 bytes JMP 76108b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17 0000000075b6159d 2 bytes JMP 761086ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17 0000000075b615b5 2 bytes JMP 7607fd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17 0000000075b615cd 2 bytes JMP 7608b2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20 0000000075b616b2 2 bytes JMP 76108eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[3264] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31 0000000075b616bd 2 bytes JMP 76108681 C:\Windows\syswow64\kernel32.dll ---- Files - GMER 2.2 ---- File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\0E6DBC4F5BFDB1C2C037FE1ACBFEEA66A3332775 278359 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\EB5E7F0BEAC96961290E389C0A1ABFBF9F8EE9D0 116 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\EBD8F52AB0AEAF4584BBFB6F4B561E2419309672 464 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\ED878E90C4C1A573DC0BBC00C2A3BD85A9536E7A 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\C18306CF004E74D02DB1AE0ED0136E561D3ED777 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\76F3F784E052B2195A4F0EA5D8DA3B2E523660FF 464 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\ABFB5025A30C9310DFF198FFAA755A8985EFA26E 338248 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\B8F91BCE9FFA141696A9D01D23A8D34D883836D0 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\1F58B2F46F6C2DE8FF822405AC18A18128D0BBBC 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\B4BF83D7963FE0315F9D15BB80E7ABD85C4195DF 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\59150562ABDF4BCE229ABC60A3E58DF32C4E3BC1 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\4F4EA559F39DC1908FBD6969C7D2772A1894CAA6 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\3D195F277DE376A8481D11D86E709AD72AE0159A 117641 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\A686C811D11CEAAD0691A80BD3F9763527589D9A 4666 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\60BF8FB539616A1A01FA9E8E26133FB600EEEF6E 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\D358ECCF783F4CFD992C4A54E2166797B6E35F0D 159234 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\D36B4E2EE7F5F8FD5961D5E863569D134F6B7B28 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\D381DB2EC0846303EB8896E9B59B922CE16152D7 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\127DD175C17401269003AAD8D2A0C99B537985E3 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\CDC60FB9593259A6DA34F5CDF9595ADC20C08E2B 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\FA7F3EA23254F9B3B592744831A53FD04085C298 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\A0829FB9C4BD8B8357B0E7B70D1515C9607514BC 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\80C3EB274D624A4AA3A54450FA40B1D62B8BFEA5 90618 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\40DDD9DB6DEBC7B4D7D05ABEF9E3A1DCC0723AB2 288546 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\DC974C0A5B227EE696F4A0810487BCE1A09B7948 237185 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\AADEAC9435E91779471F154EE6ED241B65FF3ED3 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\23CC667A56309619CF4F2702CF9EBA423600077B 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\CE90B9A2B902B1557001E485A0B77DDE4109F874 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\A6C606E3C786D70776988624C0E5404331874291 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\C52B8E55047A78041454C9651F7E8827044E08C4 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\C533720F9FAEA51F43C3594C88A91D9D79B00C6C 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\9E6508FA9B1BE9B3567FE10F5A91E1EE18DB4FE8 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\B50C97546159863E054A7245BFEC2B96F2AADB0A 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\11C644791131111A35F05E8018B57EE03785A2CD 8207 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\39F9BDF49DB87D3800DC9367456A4A9477E76A3D 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\415FCA89D98B4D8BDD1A07226BCAE35B7DE4F284 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\75EFF3252CCECD2C7F527D07A3293AAD809F3318 67865 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\4D566FB097B1D56EE826F12ADA66109DB16CF1C4 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\47BBEA8F0E3D406C8C72FCE3DAD2DB805F5C5980 185875 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\B264E55A62F56EB0AC3A3A067225AEC87EF28604 3145 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\50A80D76A4C6D462872C97F1691F3A2C2E09412B 181802 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\7FC4DFB4081065AEF82BB4D531B8BACB60EB01B1 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\99F5D23B51159A5AD2E50424076C520B57AC8BCA 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\DA9B516857B60AD48A0EFAEEBCBDD2A6B4D2E6B3 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\960EDB04D6819FD2A18C1D17D1DA22CAC5B3E9DD 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\180B9D9DE3E63144F4FE9574071F195B1C8C222E 56289 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\B6339BCF292EE782846D838815689733E9DBDE45 231968 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\CBC671759CD58906CFF638DC443049A180F9E7CF 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\5CC32C877F0EDC9B927DDB52AFBC7C48710BB155 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\B4277C859C3A497DE5FF1078CB9D7ABCD892D763 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\A3AB9E23329D7FCDA9D119325ED5B17B078F7EDC 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\D1C1DB4B439FA7396ED83002D1BD62D3279DBC64 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\CF0C06EC6A2EAB70F7FF92741166E9EE0B638033 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\869D722841F38D7748ADA7A4A1D99580948E159B 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\2F970B20002B2EEC5E6E7F7274DBAFDCEEE3DC8A 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\915D5A58AC12DD6A606E76118F6560B50C963496 247461 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\C27BE3212E890C999BA1D3FE0134C11CFEAA0973 464 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\1E7FAFF10CE99FED66C1AAEF0593DE3DA98CEBA0 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\1E8AE97C378444E603963F7E69108F3E85E67D1C 0 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\30EA880397F3DBC099A4D60D0F029FF0A9D1ED95 464 bytes File C:\Users\Cypisek\AppData\Local\Mozilla\Firefox\Profiles\gcsy69x9.default\cache2\entries\0CAA04B669776BA0A06792E4C65A188253EF3979 464 bytes ---- EOF - GMER 2.2 ----