GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-06 11:55:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-75ZCT2 rev.11.01A11 298,09GB Running: 5g048xtt.exe; Driver: C:\Users\Dawid\AppData\Local\Temp\pglyruod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000773afa88 5 bytes JMP 000000017310139e .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773b0018 5 bytes JMP 0000000173101a54 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[2636] C:\Windows\syswow64\USER32.dll!GetMenu + 412 0000000075d851dd 7 bytes JMP 0000000110053ac0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[2636] C:\Windows\syswow64\USER32.dll!PeekMessageA + 407 0000000075d8610b 7 bytes JMP 0000000110053c10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[2636] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW + 131 0000000075d8c6c1 7 bytes JMP 0000000110053bf0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[2636] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA + 199 0000000075dcfc98 7 bytes JMP 0000000110053c60 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[2636] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW + 52 0000000075dcfcd1 7 bytes JMP 0000000110053d30 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[2636] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 31 0000000075dcfcf5 7 bytes JMP 0000000110053ce0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[2636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[3120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[3120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [3120] entry point in ".rdata" section 00000000748371e6 .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773af991 7 bytes {MOV EDX, 0xd12a28; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773afbd5 7 bytes {MOV EDX, 0xd12a68; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773afc05 7 bytes {MOV EDX, 0xd129a8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773afc1d 7 bytes {MOV EDX, 0xd12928; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773afc35 7 bytes {MOV EDX, 0xd12b28; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773afc65 7 bytes {MOV EDX, 0xd12b68; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773afce5 7 bytes {MOV EDX, 0xd12ae8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773afcfd 7 bytes {MOV EDX, 0xd12aa8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773afd49 7 bytes {MOV EDX, 0xd12868; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773afe41 7 bytes {MOV EDX, 0xd128a8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773b0099 7 bytes {MOV EDX, 0xd12828; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773b10a5 7 bytes {MOV EDX, 0xd129e8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773b111d 7 bytes {MOV EDX, 0xd12968; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773b1321 7 bytes {MOV EDX, 0xd128e8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773af991 7 bytes {MOV EDX, 0xeed628; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773afbd5 7 bytes {MOV EDX, 0xeed668; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773afc05 7 bytes {MOV EDX, 0xeed5a8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773afc1d 7 bytes {MOV EDX, 0xeed528; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773afc35 7 bytes {MOV EDX, 0xeed728; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773afc65 7 bytes {MOV EDX, 0xeed768; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773afce5 7 bytes {MOV EDX, 0xeed6e8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773afcfd 7 bytes {MOV EDX, 0xeed6a8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773afd49 7 bytes {MOV EDX, 0xeed468; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773afe41 7 bytes {MOV EDX, 0xeed4a8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773b0099 7 bytes {MOV EDX, 0xeed428; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773b10a5 7 bytes {MOV EDX, 0xeed5e8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773b111d 7 bytes {MOV EDX, 0xeed568; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773b1321 7 bytes {MOV EDX, 0xeed4e8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[448] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773af991 7 bytes {MOV EDX, 0x266e28; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773afbd5 7 bytes {MOV EDX, 0x266e68; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773afc05 7 bytes {MOV EDX, 0x266da8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773afc1d 7 bytes {MOV EDX, 0x266d28; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773afc35 7 bytes {MOV EDX, 0x266f28; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773afc65 7 bytes {MOV EDX, 0x266f68; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773afce5 7 bytes {MOV EDX, 0x266ee8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773afcfd 7 bytes {MOV EDX, 0x266ea8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773afd49 7 bytes {MOV EDX, 0x266c68; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773afe41 7 bytes {MOV EDX, 0x266ca8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773b0099 7 bytes {MOV EDX, 0x266c28; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773b10a5 7 bytes {MOV EDX, 0x266de8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773b111d 7 bytes {MOV EDX, 0x266d68; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773b1321 7 bytes {MOV EDX, 0x266ce8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[1044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773af991 7 bytes {MOV EDX, 0x1054a28; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773afbd5 7 bytes {MOV EDX, 0x1054a68; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773afc05 7 bytes {MOV EDX, 0x10549a8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773afc1d 7 bytes {MOV EDX, 0x1054928; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773afc35 7 bytes {MOV EDX, 0x1054b28; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773afc65 7 bytes {MOV EDX, 0x1054b68; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773afce5 7 bytes {MOV EDX, 0x1054ae8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773afcfd 7 bytes {MOV EDX, 0x1054aa8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773afd49 7 bytes {MOV EDX, 0x1054868; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773afe41 7 bytes {MOV EDX, 0x10548a8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773b0099 7 bytes {MOV EDX, 0x1054828; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773b10a5 7 bytes {MOV EDX, 0x10549e8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773b111d 7 bytes {MOV EDX, 0x1054968; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773b1321 7 bytes {MOV EDX, 0x10548e8; JMP RDX} .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076521465 2 bytes [52, 76] .text C:\Users\Dawid\AppData\Local\Google\Chrome\Application\chrome.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765214bb 2 bytes [52, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff8800332cd18] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- EOF - GMER 2.1 ----