GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-30 00:22:16 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP6T0L0-6 WDC_WD5000AAKX-00ERMA0 rev.15.01H15 465,76GB Running: gmer.exe; Driver: H:\Users\szary\AppData\Local\Temp\pxldqpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG H:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000076021401 2 bytes JMP 75a4eb26 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000076021419 2 bytes JMP 75a5b513 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000076021431 2 bytes JMP 75ad8609 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 000000007602144a 2 bytes CALL 75a31dfa H:\Windows\syswow64\kernel32.dll .text ... * 9 .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000760214dd 2 bytes JMP 75ad7efe H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000760214f5 2 bytes JMP 75ad80d8 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 000000007602150d 2 bytes JMP 75ad7df4 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076021525 2 bytes JMP 75ad81c2 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 000000007602153d 2 bytes JMP 75a4f088 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000076021555 2 bytes JMP 75a5b885 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 000000007602156d 2 bytes JMP 75ad86c1 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000076021585 2 bytes JMP 75ad8222 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 000000007602159d 2 bytes JMP 75ad7db8 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000760215b5 2 bytes JMP 75a4f121 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000760215cd 2 bytes JMP 75a5b29f H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000760216b2 2 bytes JMP 75ad8584 H:\Windows\syswow64\kernel32.dll .text H:\Program Files (x86)\AVG Secure Search\vprot.exe[3580] H:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000760216bd 2 bytes JMP 75ad7d4d H:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG H:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG H:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG H:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG H:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG H:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG H:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG H:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG H:\Windows\system32\ntoskrnl.exe suspicious modification ---- Threads - GMER 2.1 ---- Thread H:\Windows\system32\services.exe [612:768] 000007fefc6294c4 Thread H:\Windows\system32\svchost.exe [852:2016] 000007fefc498e80 Thread H:\Windows\System32\svchost.exe [972:392] 000007fefbeff440 Thread H:\Windows\System32\svchost.exe [972:364] 000007fefbe46204 Thread H:\Windows\System32\svchost.exe [972:1136] 000007fefaec2070 Thread H:\Windows\System32\svchost.exe [972:1180] 000007fefacf5440 Thread H:\Windows\System32\svchost.exe [972:4008] 000007feec226b8c Thread H:\Windows\System32\svchost.exe [972:4048] 000007feec221d88 Thread H:\Windows\System32\svchost.exe [1012:1880] 000007fef91020c0 Thread H:\Windows\System32\svchost.exe [1012:1904] 000007fef91026a8 Thread H:\Windows\System32\svchost.exe [1012:1992] 000007fef91029dc Thread H:\Windows\System32\svchost.exe [1012:3364] 000007fef9d37750 Thread H:\Windows\System32\svchost.exe [1012:2216] 000007fef9d57ac0 Thread H:\Windows\system32\svchost.exe [332:3556] 000007feee02506c Thread H:\Windows\system32\svchost.exe [332:3916] 000007fef8bd1c20 Thread H:\Windows\system32\svchost.exe [332:3888] 000007fef8bd1c20 Thread H:\Windows\system32\svchost.exe [332:3592] 000007fef9061ab0 Thread H:\Windows\system32\svchost.exe [1028:1872] 000007fef9440ea8 Thread H:\Windows\system32\svchost.exe [1028:1884] 000007fef9439db0 Thread H:\Windows\system32\svchost.exe [1028:1072] 000007fef943aa10 Thread H:\Windows\system32\svchost.exe [1028:388] 000007fef9441c94 Thread H:\Windows\system32\svchost.exe [1028:5028] 000007fef8346848 Thread H:\Windows\system32\svchost.exe [1144:1224] 000007fefadd3260 Thread H:\Windows\system32\svchost.exe [1144:1228] 000007fefadd3aac Thread H:\Windows\system32\svchost.exe [1144:1232] 000007fefadd3864 Thread H:\Windows\system32\svchost.exe [1144:1236] 000007fefadd46d0 Thread H:\Windows\system32\svchost.exe [1144:1600] 000007fefa08f978 Thread H:\Windows\system32\svchost.exe [1144:1672] 000007fefadd3980 Thread H:\Windows\System32\spoolsv.exe [1372:2444] 000007fef8b910c8 Thread H:\Windows\System32\spoolsv.exe [1372:2544] 000007fef75a6144 Thread H:\Windows\System32\spoolsv.exe [1372:1472] 000007fef7695fd0 Thread H:\Windows\System32\spoolsv.exe [1372:2036] 000007fef8283438 Thread H:\Windows\System32\spoolsv.exe [1372:2448] 000007fef76963ec Thread H:\Windows\System32\spoolsv.exe [1372:2124] 000007fefa9d5e5c Thread H:\Windows\system32\svchost.exe [1404:1976] 000007fef8da2940 Thread H:\Windows\system32\svchost.exe [1404:2532] 000007fef8682888 Thread H:\Windows\Explorer.EXE [2376:2280] 000007fefbe46204 Thread H:\Windows\Explorer.EXE [2376:2652] 000007feee722118 ---- EOF - GMER 2.1 ----