GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-23 19:05:16 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDT721050SLA360 rev.ST3OA31B 465,76GB Running: 11eprilr.exe; Driver: C:\Users\KWAS\AppData\Local\Temp\pxldapow.sys ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!malloc] [28c4834800000001] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!_vsnwprintf] [ccccccccccccccc3] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!_XcptFilter] [ccccffffc09225ff] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!wcsrchr] [83485540cccccccc] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!_wcsnicmp] [8d8948ea8b4820ec] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!wcschr] [8b018b4800000100] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!memset] [48000000a8958910] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!_amsg_exit] [6d73633d50458b50] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!free] [f8958b481475e0] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!wcsstr] [f95ce8504d8b0000] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!_initterm] [c707eb304589ffff] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[msvcrt.dll!memcpy] [458b000000003045] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[ntdll.dll!RtlCaptureContext] [cccccccccccccccc] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[ntdll.dll!RtlLookupFunctionEntry] [83485540cccccccc] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[ntdll.dll!RtlVirtualUnwind] [8d8948ea8b4820ec] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[ntdll.dll!NtOpenFile] [8b018b4800000110] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[ntdll.dll!RtlInitUnicodeString] [4800000098958910] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[ntdll.dll!NtClose] [5589000000d08d89] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[ntdll.dll!NtCreateFile] [6d73633d70458b70] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[ntdll.dll!RtlAppendUnicodeToString] [d0958b481475e0] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[ntdll.dll!NtFsControlFile] [f8fce8704d8b0000] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[ntdll.dll!NtQueryAttributesFile] [c707eb384589ffff] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\drprov.dll[WINSTA.dll!WinStationIsSessionRemoteable] [5589000000908d89] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!??2@YAPEAX_K@Z] [577845656d61] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!_amsg_exit] [15741d000c1d01] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!_wcsicmp] [13541d0014641d] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!wcsrchr] [e019d21d0012341d] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!_XcptFilter] [40a01c015d017] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!wcschr] [7006520a000b340a] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!_initterm] [10641c000c1c01] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!wcscpy_s] [e341c000f541c] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!memmove] [d014e016f018721c] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!_purecall] [a16017010c012] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!??3@YAXPEAX@Z] [a3416000b5416] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!_wcsupr] [c00ed010e0123216] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!wcscat_s] [60f01600b700c] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!_vsnwprintf] [6340f0007640f] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!free] [20601700b320f] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!strcpy_s] [40a0130023206] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!memset] [7006320a0006340a] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!__RTDynamicCast] [f641400081401] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [d3414000e5414] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!towupper] [a180170109214] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!malloc] [b5418000c6418] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!_ultow] [d0145218000a3418] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!_wcsnicmp] [208017010c012] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[msvcrt.dll!memcpy] [4c010f0053340f] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlCaptureContext] [2500000c5c0] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlLookupFunctionEntry] [0] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlVirtualUnwind] [3004720800020801] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!NtCreateFile] [b541200081201] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!NtQueryInformationFile] [c00e5212000a3412] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!NtOpenProcessToken] [a1801600b700c] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!NtClose] [10541800116418] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlCopyLuid] [d0149218000f3418] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!NtOpenFile] [814017010c012] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlInitUnicodeStringEx] [95414000a6414] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlCompareUnicodeString] [7010521400083414] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlEqualUnicodeString] [155417000a1701] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlInitUnicodeString] [f013b21700143417] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!NtQueryInformationToken] [600c700dc00fd011] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!NtFsControlFile] [b741d000c1d01] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlInitializeCriticalSection] [9541d000a641d] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlLeaveCriticalSection] [e019321d0008341d] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!NtSetInformationThread] [81401c015d017] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!NtImpersonateAnonymousToken] [7541400086414] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!NtOpenThreadToken] [7010321400063414] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlInitializeResource] [420400010401] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlGetLastNtStatus] [15340f00061e19] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlAcquireResourceExclusive] [500660077008f20f] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlDeleteResource] [700000c5c0] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlReleaseResource] [0] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlDeleteCriticalSection] [620400010401] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlNtStatusToDosError] [e00dd21100081101] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[ntdll.dll!RtlEnterCriticalSection] [60067007c009d00b] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[KERNEL32.dll!GetComputerNameW] [10341400115414] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[KERNEL32.dll!DelayLoadFailureHook] [20b017010d214] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[KERNEL32.dll!LoadLibraryW] [820013004f20b] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\ntlanman.dll[KERNEL32.dll!GetComputerNameExW] [d015e017f019f220] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!memset] [3b4908c68348d1ff] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!memcpy] [82850fc33be572f6] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_amsg_exit] [134cf0d8d480001] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!free] [5c70000050ae800] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_initterm] [200018108] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!malloc] [48c38b480a75eb3b] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_XcptFilter] [3948000180e20587] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!iswdigit] [7d850f00018ae31d] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!toupper] [180df3d01000018] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_vsnwprintf] [58b00000083e900] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_wcsnicmp] [8e0fc33b000180d4] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!wcschr] [2b017b8d00001831] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlCaptureContext] [3db10f48f0c03300] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlLookupFunctionEntry] [17e0850f000180a4] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwTraceMessage] [180b0058b0000] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventWrite] [17e2850f02f883] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventUnregister] [180d02d8b4800] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!NtClose] [358b482d74eb3b48] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlNtStatusToDosError] [f8c68348000180bc] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!NtCreateFile] [cf830ff53b4800eb] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventRegister] [15ffcd8b48000017] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!NtFsControlFile] [9d1d894800012efc] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlInitUnicodeString] [809e1d8948000180] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlVirtualUnwind] [180681d890001] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!UnhandledExceptionFilter] [9090909090909090] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetProcAddress] [9090909090909090] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!FreeLibrary] [6c894808245c8948] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!SetLastError] [5541544157561024] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!LocalFree] [db3320ec83485641] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!LocalAlloc] [d33be98b4ce08b4d] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetLastError] [1bf000000c0840f] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!Sleep] [36850fd73b000000] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!DisableThreadLibraryCalls] [25048b4865000001] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!DelayLoadFailureHook] [8b48eb8b00000030] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!QueryPerformanceCounter] [48f0c03300eb0870] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetTickCount] [f0001816135b10f] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentThreadId] [8b00eb000018d785] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentProcessId] [fc33b0001816b05] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [358d48000018e485] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!TerminateProcess] [2d358d4c00013524] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentProcess] [1814f3d89000135] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [2373f63b49c38b00] IAT C:\Windows\Explorer.EXE[1268] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!LoadLibraryExA] [189d850fc33b] ---- EOF - GMER 2.2 ----