GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-02-04 02:44:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GB00 465,76GB Running: j1v3psxz.exe; Driver: C:\Users\Robert\AppData\Local\Temp\pgloyfow.sys ---- Kernel code sections - GMER 2.0 ---- .text C:\windows\System32\win32k.sys!W32pServiceTable fffff96000133c00 7 bytes [C0, A0, F3, FF, 01, AC, F0] .text C:\windows\System32\win32k.sys!W32pServiceTable + 9 fffff96000133c09 2 bytes [06, 02] ---- User code sections - GMER 2.0 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075d087b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076371401 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076371419 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076371431 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007637144a 2 bytes [37, 76] .text ... * 9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763714dd 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763714f5 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007637150d 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076371525 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007637153d 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076371555 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007637156d 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076371585 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007637159d 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763715b5 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763715cd 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763716b2 2 bytes [37, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[760] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763716bd 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076371401 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076371419 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076371431 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007637144a 2 bytes [37, 76] .text ... * 9 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763714dd 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763714f5 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007637150d 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076371525 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007637153d 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076371555 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007637156d 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076371585 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007637159d 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763715b5 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763715cd 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763716b2 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[2268] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763716bd 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076371401 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076371419 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076371431 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007637144a 2 bytes [37, 76] .text ... * 9 .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763714dd 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763714f5 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007637150d 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076371525 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007637153d 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076371555 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007637156d 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076371585 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007637159d 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763715b5 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763715cd 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763716b2 2 bytes [37, 76] .text C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763716bd 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076371401 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076371419 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076371431 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007637144a 2 bytes [37, 76] .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000763714dd 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000763714f5 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007637150d 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076371525 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007637153d 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076371555 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007637156d 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076371585 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007637159d 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000763715b5 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000763715cd 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000763716b2 2 bytes [37, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4332] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000763716bd 2 bytes [37, 76] ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef8862750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef8862b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef8867de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef8868130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef8861908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef8861c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef88681d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef8862878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef8867a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef8866c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef88677bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef8867064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef8866544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2256] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef8865e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- EOF - GMER 2.0 ----