GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-16 12:27:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000066 Intel___ rev.1.0_ 929.46GB Running: oh92v631-gmer.exe; Driver: C:\Users\admin\AppData\Local\Temp\pxldqpow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076348791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076611401 2 bytes JMP 7636b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076611419 2 bytes JMP 7636b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076611431 2 bytes JMP 763e9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007661144a 2 bytes CALL 763448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000766114dd 2 bytes JMP 763e890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000766114f5 2 bytes JMP 763e8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007661150d 2 bytes JMP 763e8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076611525 2 bytes JMP 763e8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007661153d 2 bytes JMP 7635fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076611555 2 bytes JMP 76366907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007661156d 2 bytes JMP 763e90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076611585 2 bytes JMP 763e8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007661159d 2 bytes JMP 763e87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000766115b5 2 bytes JMP 7635fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000766115cd 2 bytes JMP 7636b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000766116b2 2 bytes JMP 763e8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1636] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000766116bd 2 bytes JMP 763e8759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\nhsrvice.exe[1856] C:\Windows\syswow64\kernel32.dll!ExitProcess 00000000763479d8 5 bytes JMP 000000000044b28e .text C:\Windows\SysWOW64\nhsrvice.exe[1856] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000742417fa 2 bytes CALL 763411a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\nhsrvice.exe[1856] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074241860 2 bytes CALL 763411a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\nhsrvice.exe[1856] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074241942 2 bytes JMP 756c7089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\nhsrvice.exe[1856] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007424194d 2 bytes JMP 756ccba6 C:\Windows\syswow64\WS2_32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076611401 2 bytes JMP 7636b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076611419 2 bytes JMP 7636b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076611431 2 bytes JMP 763e9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007661144a 2 bytes CALL 763448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766114dd 2 bytes JMP 763e890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766114f5 2 bytes JMP 763e8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007661150d 2 bytes JMP 763e8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076611525 2 bytes JMP 763e8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007661153d 2 bytes JMP 7635fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076611555 2 bytes JMP 76366907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007661156d 2 bytes JMP 763e90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076611585 2 bytes JMP 763e8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007661159d 2 bytes JMP 763e87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766115b5 2 bytes JMP 7635fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766115cd 2 bytes JMP 7636b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766116b2 2 bytes JMP 763e8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Pervasive Software\PSQL\bin\notifyviewer.exe[5164] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766116bd 2 bytes JMP 763e8759 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 00000000763434b1 4 bytes {CALL 0xffffffff8a1269e8} .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076611401 2 bytes JMP 7636b233 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076611419 2 bytes JMP 7636b35e C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076611431 2 bytes JMP 763e9011 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007661144a 2 bytes CALL 763448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766114dd 2 bytes JMP 763e890a C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766114f5 2 bytes JMP 763e8ae0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007661150d 2 bytes JMP 763e8800 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076611525 2 bytes JMP 763e8bca C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007661153d 2 bytes JMP 7635fcc0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076611555 2 bytes JMP 76366907 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007661156d 2 bytes JMP 763e90c9 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076611585 2 bytes JMP 763e8c2a C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007661159d 2 bytes JMP 763e87c4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766115b5 2 bytes JMP 7635fd59 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766115cd 2 bytes JMP 7636b2f4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766116b2 2 bytes JMP 763e8f8c C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Embarcadero\AppWaveBrowser\AppWaveBrowser.exe[6404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766116bd 2 bytes JMP 763e8759 C:\Windows\syswow64\kernel32.dll ---- Files - GMER 2.2 ---- File C:\ProgramData\Embarcadero\Product Repository\StreamingCore\Profiles\admin\Applications\{77195600-E283-42C1-B4A9-67FFB372C263}\FSD\File_stDnr 0 bytes ---- EOF - GMER 2.2 ----