GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-02 18:29:36 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EARS-00Y5B1 rev.80.00A80 931,51GB Running: pg0o7sur.exe; Driver: C:\Users\Siwy\AppData\Local\Temp\aftcraoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002fa6000 46 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002fa602f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\services.exe[608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[912] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[332] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[972] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1184] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1336] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1344] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\Explorer.EXE[1680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1760] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[1948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2004] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2316] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2476] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2476] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000075391a22 2 bytes [39, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2476] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000075391ad0 2 bytes [39, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2476] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000075391b08 2 bytes [39, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2476] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000075391bba 2 bytes [39, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2476] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000075391bda 2 bytes [39, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076401465 2 bytes [40, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764014bb 2 bytes [40, 76] .text ... * 2 .text C:\Windows\system32\svchost.exe[2500] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system32\conhost.exe[2780] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2928] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2928] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076fc9d0b 5 bytes JMP 0000000110007f40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2928] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076fc9d4e 5 bytes JMP 0000000110008070 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076401465 2 bytes [40, 76] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764014bb 2 bytes [40, 76] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[2388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2784] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\System32\rundll32.exe[3000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Windows\system\CMGxMon.exe[3472] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text C:\Windows\system\CMGxMon.exe[3472] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076fc9d0b 5 bytes JMP 0000000110007f40 .text C:\Windows\system\CMGxMon.exe[3472] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076fc9d4e 5 bytes JMP 0000000110008070 .text C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe[3480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[3536] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files\ASUS Xonar DX Audio\Customapp\ASUSAUDIOCENTER.EXE[3552] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[3572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files\ASUS Xonar DX Audio\Customapp\MXMon.exe[3624] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text C:\Program Files\ASUS Xonar DX Audio\Customapp\MXMon.exe[3624] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076fc9d0b 5 bytes JMP 0000000110007f40 .text C:\Program Files\ASUS Xonar DX Audio\Customapp\MXMon.exe[3624] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076fc9d4e 5 bytes JMP 0000000110008070 .text G:\Programy\EXPERTool\TBPANEL.exe[3704] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text G:\Programy\EXPERTool\TBPANEL.exe[3704] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076fc9d0b 5 bytes JMP 0000000110007f40 .text G:\Programy\EXPERTool\TBPANEL.exe[3704] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076fc9d4e 5 bytes JMP 0000000110008070 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files (x86)\OSCAR Editor X7\OscarEditor.exe[3968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text C:\Program Files (x86)\OSCAR Editor X7\OscarEditor.exe[3968] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076fc9d0b 5 bytes JMP 0000000110007f40 .text C:\Program Files (x86)\OSCAR Editor X7\OscarEditor.exe[3968] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076fc9d4e 5 bytes JMP 0000000110008070 .text G:\Programy\Avast\AvastUI.exe[3716] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000773b8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text G:\Programy\Avast\AvastUI.exe[3716] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text G:\Programy\Avast\AvastUI.exe[3716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076401465 2 bytes [40, 76] .text G:\Programy\Avast\AvastUI.exe[3716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764014bb 2 bytes [40, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3088] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3088] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076fc9d0b 5 bytes JMP 0000000110007f40 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3088] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076fc9d4e 5 bytes JMP 0000000110008070 .text C:\Windows\system32\wbem\wmiprvse.exe[3344] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007799eecd 1 byte [62] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[4656] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] .text G:\pg0o7sur.exe[3076] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773da2ba 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1800:1308] 000007fefaa12888 Thread C:\Windows\system32\svchost.exe [1800:1304] 000007fefaa02940 Thread C:\Windows\system32\svchost.exe [1800:3888] 000007fefaa12a40 Thread C:\Windows\system32\svchost.exe [2384:2748] 000007feff81a808 Thread C:\Windows\System32\svchost.exe [4696:4808] 000007feeed59688 ---- EOF - GMER 2.1 ----