GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-05 16:49:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1CH162 rev.CC49 931,51GB Running: l1ec4dzz.exe; Driver: C:\Users\Andrzej\AppData\Local\Temp\pwliqpog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\avastui.exe[2024] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076938791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077441401 2 bytes JMP 7695b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077441419 2 bytes JMP 7695b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077441431 2 bytes JMP 769d8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007744144a 2 bytes CALL 769348ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774414dd 2 bytes JMP 769d87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774414f5 2 bytes JMP 769d8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007744150d 2 bytes JMP 769d8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077441525 2 bytes JMP 769d8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007744153d 2 bytes JMP 7694fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077441555 2 bytes JMP 769568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007744156d 2 bytes JMP 769d8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077441585 2 bytes JMP 769d8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007744159d 2 bytes JMP 769d865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774415b5 2 bytes JMP 7694fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774415cd 2 bytes JMP 7695b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774416b2 2 bytes JMP 769d8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774416bd 2 bytes JMP 769d85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077441401 2 bytes JMP 7695b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077441419 2 bytes JMP 7695b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077441431 2 bytes JMP 769d8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007744144a 2 bytes CALL 769348ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774414dd 2 bytes JMP 769d87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774414f5 2 bytes JMP 769d8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007744150d 2 bytes JMP 769d8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077441525 2 bytes JMP 769d8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007744153d 2 bytes JMP 7694fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077441555 2 bytes JMP 769568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007744156d 2 bytes JMP 769d8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077441585 2 bytes JMP 769d8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007744159d 2 bytes JMP 769d865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774415b5 2 bytes JMP 7694fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774415cd 2 bytes JMP 7695b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774416b2 2 bytes JMP 769d8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774416bd 2 bytes JMP 769d85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077441401 2 bytes JMP 7695b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077441419 2 bytes JMP 7695b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077441431 2 bytes JMP 769d8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007744144a 2 bytes CALL 769348ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774414dd 2 bytes JMP 769d87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774414f5 2 bytes JMP 769d8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007744150d 2 bytes JMP 769d8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077441525 2 bytes JMP 769d8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007744153d 2 bytes JMP 7694fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077441555 2 bytes JMP 769568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007744156d 2 bytes JMP 769d8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077441585 2 bytes JMP 769d8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007744159d 2 bytes JMP 769d865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774415b5 2 bytes JMP 7694fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774415cd 2 bytes JMP 7695b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774416b2 2 bytes JMP 769d8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2launcher.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774416bd 2 bytes JMP 769d85f1 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread [1356:1404] 0000000077a32e65 Thread [1356:1416] 0000000077a33e85 Thread [1356:1420] 000000007510f28e Thread [1356:1432] 0000000076da7587 Thread [1356:1600] 0000000074887390 Thread [1356:1604] 00000000748e2240 Thread [1356:1804] 0000000074746780 Thread [1356:1808] 0000000074745c30 Thread [1356:1812] 000000007510f28e Thread [1356:1472] 000000007472e070 Thread [1356:1504] 000000007472e070 Thread [1356:796] 000000007472e070 Thread [1356:792] 000000007472e070 Thread [1356:1532] 000000007472e070 Thread [1356:1540] 000000007472f630 Thread [1356:1536] 000000007472f630 Thread [1356:1572] 000000007472e7d0 Thread [1356:1296] 000000007479c860 Thread [1356:1656] 000000007479ad70 Thread [1356:1576] 000000007479b2d0 Thread [1356:1320] 00000000747323a0 Thread [1356:1712] 00000000747323a0 Thread [1356:1784] 00000000747323a0 Thread [1356:924] 00000000747323a0 Thread [1356:1760] 00000000747323a0 Thread [1356:1800] 00000000747320e0 Thread [1356:1496] 0000000070b11080 Thread [1356:2020] 0000000070db14b0 Thread [1356:1448] 0000000074747700 Thread [1356:1376] 0000000074731830 Thread [1356:1244] 000000007510f28e Thread [1356:1396] 000000007644d864 Thread [1356:2060] 00000000747b85f0 Thread [1356:2088] 0000000074537740 Thread [1356:2092] 0000000070b116d0 Thread [1356:2104] 0000000073159a90 Thread [1356:2124] 0000000074430480 Thread [1356:2128] 000000007510f28e Thread [1356:2136] 00000000748e65e0 Thread [1356:2140] 00000000748e9850 Thread [1356:2144] 000000007510f28e Thread [1356:2152] 000000007510f28e Thread [1356:2156] 000000007510f28e Thread [1356:2160] 000000007510f28e Thread [1356:2164] 000000007510f28e Thread [1356:2172] 000000007510f28e Thread [1356:2176] 000000007510f28e Thread [1356:2184] 0000000073098670 Thread [1356:2188] 0000000073098670 Thread [1356:2192] 0000000073098670 Thread [1356:2196] 0000000073098670 Thread [1356:2200] 0000000073098670 Thread [1356:2204] 0000000073098670 Thread [1356:2208] 0000000073098670 Thread [1356:2212] 0000000073098670 Thread [1356:2216] 0000000073098670 Thread [1356:2228] 000000007510f28e Thread [1356:2312] 00000000747dbae0 Thread [1356:2316] 000000007510f28e Thread [1356:2328] 000000007510f28e Thread [1356:2368] 000000007510f28e Thread [1356:2380] 000000007510f28e Thread [1356:2384] 000000007510f28e Thread [1356:3236] 000000007644d864 Thread [1356:4288] 0000000070c813b0 Thread [1356:4576] 000000007510f28e Thread [1356:2792] 0000000077a33e85 Thread [1356:1492] 0000000077a33e85 Thread [1356:3464] 00000000731b62ee Thread [1356:3884] 0000000077a33e85 Thread [1356:756] 0000000077a33e85 Thread [1356:1624] 0000000077a33e85 Thread [1356:2744] 0000000077a33e85 Thread C:\Windows\System32\svchost.exe [5092:4256] 000007fef14e9688 ---- EOF - GMER 2.1 ----