GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-27 23:31:28 Windows 6.1.7600 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 KINGSTON_SV300S37A60G rev.505ABBF1 55,90GB Running: ll80cb6x.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pwriifow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fc1401 2 bytes JMP 763ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fc1419 2 bytes JMP 763db513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fc1431 2 bytes JMP 76458609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fc144a 2 bytes CALL 763b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fc14dd 2 bytes JMP 76457efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fc14f5 2 bytes JMP 764580d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fc150d 2 bytes JMP 76457df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fc1525 2 bytes JMP 764581c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fc153d 2 bytes JMP 763cf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fc1555 2 bytes JMP 763db885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fc156d 2 bytes JMP 764586c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fc1585 2 bytes JMP 76458222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fc159d 2 bytes JMP 76457db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fc15b5 2 bytes JMP 763cf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fc15cd 2 bytes JMP 763db29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fc16b2 2 bytes JMP 76458584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fc16bd 2 bytes JMP 76457d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fc1401 2 bytes JMP 763ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fc1419 2 bytes JMP 763db513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fc1431 2 bytes JMP 76458609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fc144a 2 bytes CALL 763b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fc14dd 2 bytes JMP 76457efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fc14f5 2 bytes JMP 764580d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fc150d 2 bytes JMP 76457df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fc1525 2 bytes JMP 764581c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fc153d 2 bytes JMP 763cf088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fc1555 2 bytes JMP 763db885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fc156d 2 bytes JMP 764586c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fc1585 2 bytes JMP 76458222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fc159d 2 bytes JMP 76457db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fc15b5 2 bytes JMP 763cf121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fc15cd 2 bytes JMP 763db29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fc16b2 2 bytes JMP 76458584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fc16bd 2 bytes JMP 76457d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fc1401 2 bytes JMP 763ceb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fc1419 2 bytes JMP 763db513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fc1431 2 bytes JMP 76458609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fc144a 2 bytes CALL 763b1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fc14dd 2 bytes JMP 76457efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fc14f5 2 bytes JMP 764580d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fc150d 2 bytes JMP 76457df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fc1525 2 bytes JMP 764581c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fc153d 2 bytes JMP 763cf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fc1555 2 bytes JMP 763db885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fc156d 2 bytes JMP 764586c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fc1585 2 bytes JMP 76458222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fc159d 2 bytes JMP 76457db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fc15b5 2 bytes JMP 763cf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fc15cd 2 bytes JMP 763db29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fc16b2 2 bytes JMP 76458584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fc16bd 2 bytes JMP 76457d4d C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F3AB923A-19ED-4B99-900D-54BD6F10D0FC}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [4928] (Microsoft Malware Protection Engine/Microsoft Corporation)(2015-02-27 17:30:55) 000007fed5020000 ---- EOF - GMER 2.1 ----