GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-15 20:44:21 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320325AS rev.D003DEM1 298,09GB Running: 71sktf3z.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pwriifow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2596] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007799fc9c 5 bytes JMP 0000000173a719c0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2596] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007799fe60 5 bytes JMP 0000000173a715e0 .text C:\Windows\system32\SearchIndexer.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777ede30 5 bytes JMP 0000000077950128 .text C:\Windows\system32\SearchIndexer.exe[3252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777edf50 5 bytes JMP 0000000077950018 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777ede30 5 bytes JMP 0000000177670128 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[3364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777edf50 5 bytes JMP 0000000177670018 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[3364] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007769dbc0 5 bytes JMP 00000001776700a0 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777ede30 5 bytes JMP 0000000177670128 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777edf50 5 bytes JMP 0000000177670018 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[3432] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007769dbc0 5 bytes JMP 00000001776700a0 .text C:\Windows\SysWOW64\ctfmon.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007799fc9c 5 bytes JMP 0000000173a719c0 .text C:\Windows\SysWOW64\ctfmon.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007799fe60 5 bytes JMP 0000000173a715e0 .text C:\Windows\SysWOW64\ctfmon.exe[3796] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077343bab 5 bytes JMP 0000000173a71750 .text C:\Windows\system32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777ede30 5 bytes JMP 0000000177670128 .text C:\Windows\system32\svchost.exe[2592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777edf50 5 bytes JMP 0000000177670018 .text C:\Windows\system32\svchost.exe[2592] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007769dbc0 5 bytes JMP 00000001776700a0 .text C:\Windows\System32\svchost.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777ede30 5 bytes JMP 0000000177670128 .text C:\Windows\System32\svchost.exe[4224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777edf50 5 bytes JMP 0000000177670018 .text C:\Windows\System32\svchost.exe[4224] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007769dbc0 5 bytes JMP 00000001776700a0 .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007799fc9c 5 bytes JMP 0000000173a719c0 .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4460] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007799fe60 5 bytes JMP 0000000173a715e0 .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4460] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077343bab 5 bytes JMP 0000000173a71750 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007799fc9c 5 bytes JMP 0000000173a719c0 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4364] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007799fe60 5 bytes JMP 0000000173a715e0 .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4364] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077343bab 5 bytes JMP 0000000173a71750 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe[6544] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007799fc9c 5 bytes JMP 0000000173a719c0 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe[6544] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007799fe60 5 bytes JMP 0000000173a715e0 .text C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe[6544] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000077343bab 5 bytes JMP 0000000173a71750 .text C:\Windows\system32\svchost.exe[7052] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777ede30 5 bytes JMP 0000000177670128 .text C:\Windows\system32\svchost.exe[7052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777edf50 5 bytes JMP 0000000177670018 .text C:\Windows\system32\svchost.exe[7052] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007769dbc0 5 bytes JMP 00000001776700a0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5063138d6712 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D840B34E-1EED-40BE-91CC-5A3F2A110B35}@LeaseObtainedTime 1436980976 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D840B34E-1EED-40BE-91CC-5A3F2A110B35}@T1 1437024176 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D840B34E-1EED-40BE-91CC-5A3F2A110B35}@T2 1437056576 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D840B34E-1EED-40BE-91CC-5A3F2A110B35}@LeaseTerminatesTime 1437067376 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5063138d6712 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}\iexplore@Count 43 ---- EOF - GMER 2.1 ----