GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-12 21:58:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 PLEXTOR_PX-G256M6e rev.1.06 238,47GB Running: z08et3gp.exe; Driver: C:\Users\Henry\AppData\Local\Temp\pxldipow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1500] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076c38769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 76c5b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 76c5b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 76cd9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 76c34885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 76cd8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 76cd8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 76cd8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 76cd8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 76c4fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76c56907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 76cd9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 76cd8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 76cd88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 76c4fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 76c5b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 76cd90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2336] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 76cd8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2420] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076c38769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 76c5b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 76c5b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 76cd9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 76c34885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 76cd8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 76cd8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 76cd8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 76cd8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 76c4fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76c56907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 76cd9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 76cd8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 76cd88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 76c4fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 76c5b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 76cd90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 76cd8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 76c5b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 76c5b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 76cd9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 76c34885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 76cd8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 76cd8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 76cd8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 76cd8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 76c4fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76c56907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 76cd9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 76cd8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 76cd88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 76c4fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 76c5b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 76cd90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3524] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 76cd8891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000746f17fa 2 bytes CALL 76c311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000746f1860 2 bytes CALL 76c311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000746f1942 2 bytes JMP 765d6da1 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000746f194d 2 bytes JMP 765de8de C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076681401 2 bytes JMP 76c5b233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076681419 2 bytes JMP 76c5b35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076681431 2 bytes JMP 76cd9149 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007668144a 2 bytes CALL 76c34885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766814dd 2 bytes JMP 76cd8a42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766814f5 2 bytes JMP 76cd8c18 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007668150d 2 bytes JMP 76cd8938 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076681525 2 bytes JMP 76cd8d02 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007668153d 2 bytes JMP 76c4fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076681555 2 bytes JMP 76c56907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007668156d 2 bytes JMP 76cd9201 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076681585 2 bytes JMP 76cd8d62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007668159d 2 bytes JMP 76cd88fc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766815b5 2 bytes JMP 76c4fd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766815cd 2 bytes JMP 76c5b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766816b2 2 bytes JMP 76cd90c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766816bd 2 bytes JMP 76cd8891 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\winlogon.exe[992] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefadc2840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[992] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefadc2720] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[992] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefadc2840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[992] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefadc2720] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1212] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefadc2840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1212] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefadc2720] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1212] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefadc2840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1212] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefadc2720] c:\windows\system32\uxtuneup.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14728165963312280@SetupOperations ???i?????????????????????????????????????????????????A???v??.NTAMD64??????????????X?????? ???????????{??? ??????????????????????????????? ???????{?????s???????,??L?????????&???????????????????????? ?????????????????????,??L?????????&?????????????????????????????????(??????f???-???????=???=??????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????$??????????????????????????????????$???4????? ??????? ????????????????????????? ????(??????P????????????(??????P????????????????$H???????????????????????????????0?