GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-05 16:56:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD103SI rev.1AG01118 931,51GB Running: w4grpu6d.exe; Driver: C:\Users\MarCin\AppData\Local\Temp\awrdrpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755b1401 2 bytes JMP 773cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755b1419 2 bytes JMP 773cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755b1431 2 bytes JMP 77448ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755b144a 2 bytes CALL 773a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755b14dd 2 bytes JMP 774487a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755b14f5 2 bytes JMP 77448978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755b150d 2 bytes JMP 77448698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755b1525 2 bytes JMP 77448a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755b153d 2 bytes JMP 773bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755b1555 2 bytes JMP 773c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755b156d 2 bytes JMP 77448f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755b1585 2 bytes JMP 77448ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755b159d 2 bytes JMP 7744865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755b15b5 2 bytes JMP 773bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755b15cd 2 bytes JMP 773cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755b16b2 2 bytes JMP 77448e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755b16bd 2 bytes JMP 774485f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755b1401 2 bytes JMP 773cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755b1419 2 bytes JMP 773cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755b1431 2 bytes JMP 77448ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755b144a 2 bytes CALL 773a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755b14dd 2 bytes JMP 774487a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755b14f5 2 bytes JMP 77448978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755b150d 2 bytes JMP 77448698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755b1525 2 bytes JMP 77448a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755b153d 2 bytes JMP 773bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755b1555 2 bytes JMP 773c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755b156d 2 bytes JMP 77448f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755b1585 2 bytes JMP 77448ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755b159d 2 bytes JMP 7744865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755b15b5 2 bytes JMP 773bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755b15cd 2 bytes JMP 773cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755b16b2 2 bytes JMP 77448e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755b16bd 2 bytes JMP 774485f1 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [3024] entry point in ".rdata" section 0000000073bc71e6 .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000755b1401 2 bytes JMP 773cb21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000755b1419 2 bytes JMP 773cb346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000755b1431 2 bytes JMP 77448ea9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000755b144a 2 bytes CALL 773a48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000755b14dd 2 bytes JMP 774487a2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000755b14f5 2 bytes JMP 77448978 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000755b150d 2 bytes JMP 77448698 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000755b1525 2 bytes JMP 77448a62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000755b153d 2 bytes JMP 773bfca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000755b1555 2 bytes JMP 773c68ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000755b156d 2 bytes JMP 77448f61 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000755b1585 2 bytes JMP 77448ac2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000755b159d 2 bytes JMP 7744865c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000755b15b5 2 bytes JMP 773bfd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000755b15cd 2 bytes JMP 773cb2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000755b16b2 2 bytes JMP 77448e24 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe[2876] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000755b16bd 2 bytes JMP 774485f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 5 bytes JMP 0000000177700018 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 5 bytes JMP 0000000177700018 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 5 bytes JMP 0000000177700018 .text C:\Windows\system32\svchost.exe[5432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 5 bytes JMP 0000000177700018 .text C:\Windows\system32\svchost.exe[5584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 5 bytes JMP 0000000177700018 .text C:\Windows\system32\SearchIndexer.exe[5660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 5 bytes JMP 00000000778c0018 .text C:\Windows\System32\svchost.exe[5068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077761650 5 bytes JMP 0000000177700018 .text E:\POBRANE Mozilla\w4grpu6d.exe[5596] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007790fe14 5 bytes JMP 0000000175161000 ---- EOF - GMER 2.1 ----