GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-15 14:08:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Samsung_SSD_840_EVO_120GB rev.EXT0BB6Q 111,79GB Running: 1kiwk5yj.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pwriypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\vmnat.exe[2220] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 4 0000000071dc13b0 2 bytes JMP 74a55660 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[2220] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 20 0000000071dc13c0 2 bytes CALL 76229cee C:\Windows\syswow64\msvcrt.dll .text ... * 20 .text C:\Windows\SysWOW64\vmnat.exe[2220] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 22 0000000071dc153e 2 bytes CALL 74ae7794 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[2220] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 43 0000000071dc1553 2 bytes CALL 756e10ff C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076effc50 5 bytes JMP 00000001743b1460 .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076effe14 5 bytes JMP 00000001743b1120 .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756f3bbb 5 bytes JMP 00000001743b1260 .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076eb1401 2 bytes JMP 7570b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076eb1419 2 bytes JMP 7570b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076eb1431 2 bytes JMP 75788ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076eb144a 2 bytes CALL 756e48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076eb14dd 2 bytes JMP 757887a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076eb14f5 2 bytes JMP 75788978 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076eb150d 2 bytes JMP 75788698 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076eb1525 2 bytes JMP 75788a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076eb153d 2 bytes JMP 756ffca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076eb1555 2 bytes JMP 757068ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076eb156d 2 bytes JMP 75788f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076eb1585 2 bytes JMP 75788ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076eb159d 2 bytes JMP 7578865c C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076eb15b5 2 bytes JMP 756ffd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076eb15cd 2 bytes JMP 7570b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076eb16b2 2 bytes JMP 75788e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\Mateusz\AppData\Roaming\uTorrent\uTorrent.exe[3008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076eb16bd 2 bytes JMP 757885f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d51530 5 bytes JMP 0000000076eb0128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d51650 5 bytes JMP 0000000076eb0018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3016] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW 0000000076bfdb80 5 bytes JMP 0000000076eb00a0 .text C:\Program Files (x86)\ALLPlayer Remote\ALLPlayerRemoteControl.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076effc50 5 bytes JMP 00000001743b1460 .text C:\Program Files (x86)\ALLPlayer Remote\ALLPlayerRemoteControl.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076effe14 5 bytes JMP 00000001743b1120 .text C:\Program Files (x86)\ALLPlayer Remote\ALLPlayerRemoteControl.exe[3116] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756f3bbb 5 bytes JMP 00000001743b1260 .text C:\Users\Mateusz\AppData\Roaming\Spotify\SpotifyWebHelper.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076effc50 5 bytes JMP 00000001743b1460 .text C:\Users\Mateusz\AppData\Roaming\Spotify\SpotifyWebHelper.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076effe14 5 bytes JMP 00000001743b1120 .text C:\Users\Mateusz\AppData\Roaming\Spotify\SpotifyWebHelper.exe[3180] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756f3bbb 5 bytes JMP 00000001743b1260 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076effc50 5 bytes JMP 00000001743b1460 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3764] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076effe14 5 bytes JMP 00000001743b1120 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3764] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756f3bbb 5 bytes JMP 00000001743b1260 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076effc50 5 bytes JMP 00000001743b1460 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076effe14 5 bytes JMP 00000001743b1120 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756f3bbb 5 bytes JMP 00000001743b1260 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076eb1401 2 bytes JMP 7570b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076eb1419 2 bytes JMP 7570b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076eb1431 2 bytes JMP 75788ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076eb144a 2 bytes CALL 756e48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076eb14dd 2 bytes JMP 757887a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076eb14f5 2 bytes JMP 75788978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076eb150d 2 bytes JMP 75788698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076eb1525 2 bytes JMP 75788a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076eb153d 2 bytes JMP 756ffca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076eb1555 2 bytes JMP 757068ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076eb156d 2 bytes JMP 75788f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076eb1585 2 bytes JMP 75788ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076eb159d 2 bytes JMP 7578865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076eb15b5 2 bytes JMP 756ffd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076eb15cd 2 bytes JMP 7570b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076eb16b2 2 bytes JMP 75788e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3848] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076eb16bd 2 bytes JMP 757885f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ctfmon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076effc50 5 bytes JMP 00000001743b1460 .text C:\Windows\SysWOW64\ctfmon.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076effe14 5 bytes JMP 00000001743b1120 .text C:\Windows\SysWOW64\ctfmon.exe[4176] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756f3bbb 5 bytes JMP 00000001743b1260 .text C:\Windows\system32\SearchIndexer.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d51530 5 bytes JMP 0000000076eb0128 .text C:\Windows\system32\SearchIndexer.exe[4348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d51650 5 bytes JMP 0000000076eb0018 .text C:\Windows\system32\svchost.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d51530 5 bytes JMP 0000000076eb0128 .text C:\Windows\system32\svchost.exe[4680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d51650 5 bytes JMP 0000000076eb0018 .text C:\Windows\system32\svchost.exe[4680] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076bfdb80 5 bytes JMP 0000000076eb00a0 .text C:\Windows\System32\svchost.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d51530 5 bytes JMP 0000000076eb0128 .text C:\Windows\System32\svchost.exe[4968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d51650 5 bytes JMP 0000000076eb0018 .text C:\Windows\System32\svchost.exe[4968] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076bfdb80 5 bytes JMP 0000000076eb00a0 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d51530 5 bytes JMP 0000000076eb0128 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d51650 5 bytes JMP 0000000076eb0018 .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5108] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076bfdb80 5 bytes JMP 0000000076eb00a0 .text C:\Program Files\Elantech\ETDIntelligent.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d51530 5 bytes JMP 0000000076eb0128 .text C:\Program Files\Elantech\ETDIntelligent.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d51650 5 bytes JMP 0000000076eb0018 .text C:\Program Files\Elantech\ETDIntelligent.exe[3208] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076bfdb80 5 bytes JMP 0000000076eb00a0 .text C:\Windows\system32\taskeng.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d51530 5 bytes JMP 0000000076eb0128 .text C:\Windows\system32\taskeng.exe[4916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d51650 5 bytes JMP 0000000076eb0018 .text C:\Windows\system32\taskeng.exe[4916] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076bfdb80 5 bytes JMP 0000000076eb00a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d51530 5 bytes JMP 0000000076eb0128 .text C:\Windows\system32\wbem\wmiprvse.exe[3288] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d51650 5 bytes JMP 0000000076eb0018 .text C:\Windows\system32\wbem\wmiprvse.exe[3288] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076bfdb80 5 bytes JMP 0000000076eb00a0 .text C:\Users\Mateusz\Downloads\FRST64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076d51530 5 bytes JMP 0000000076eb0128 .text C:\Users\Mateusz\Downloads\FRST64.exe[4544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d51650 5 bytes JMP 0000000076eb0018 .text C:\Users\Mateusz\Downloads\FRST64.exe[4544] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076bfdb80 5 bytes JMP 0000000076eb00a0 .text C:\Users\Mateusz\Downloads\1kiwk5yj.exe[2268] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076effc50 5 bytes JMP 00000001743b1460 .text C:\Users\Mateusz\Downloads\1kiwk5yj.exe[2268] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000076effe14 5 bytes JMP 00000001743b1120 .text C:\Users\Mateusz\Downloads\1kiwk5yj.exe[2268] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 00000000756f3bbb 5 bytes JMP 00000001743b1260 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2336] (GG drive overlay/GG Network S.A.)(2014-09-11 19:29:32) 000000005c080000 Library C:\Users\Mateusz\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2336] (GG drive menu/GG Network S.A.) 000000005ff80000 ---- EOF - GMER 2.1 ----