GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-26 21:39:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-a WDC_WD5000AAKX-221CA1 rev.17.01H17 465,76GB Running: 2pmj5fo6.exe; Driver: C:\Users\Michael\AppData\Local\Temp\uwliifow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002dbb000 63 bytes [E8, BB, 3B, F8, FF, 41, 80, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff80002dbb042 75 bytes {SUB R13, RAX; MOV [RSP+0x38], R13; JZ 0x1b; MOV RCX, R13; CALL 0xfffffffffffa5482} ---- User code sections - GMER 2.1 ---- .text c:\postgreSQL\bin\postgres.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text c:\postgreSQL\bin\postgres.exe[1612] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text c:\postgreSQL\bin\postgres.exe[1612] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text C:\Windows\system32\conhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774a1530 5 bytes JMP 0000000077600128 .text C:\Windows\system32\conhost.exe[1608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774a1650 5 bytes JMP 0000000077600018 .text C:\Windows\system32\conhost.exe[1608] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724db80 5 bytes JMP 00000000776000a0 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774a1530 5 bytes JMP 0000000177440128 .text C:\Windows\system32\svchost.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774a1650 5 bytes JMP 0000000177440018 .text C:\Windows\system32\svchost.exe[644] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724db80 5 bytes JMP 00000000774400a0 .text C:\Program Files\CCleaner\CCleaner64.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774a1530 5 bytes JMP 0000000077600128 .text C:\Program Files\CCleaner\CCleaner64.exe[2240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774a1650 5 bytes JMP 0000000077600018 .text C:\Program Files\CCleaner\CCleaner64.exe[2240] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724db80 5 bytes JMP 00000000776000a0 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774a1530 5 bytes JMP 0000000177440128 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774a1650 5 bytes JMP 0000000177440018 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2400] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724db80 5 bytes JMP 00000000774400a0 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774a1530 5 bytes JMP 0000000177440128 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774a1650 5 bytes JMP 0000000177440018 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2408] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724db80 5 bytes JMP 00000000774400a0 .text C:\Users\Michael\AppData\Local\Torch\Update\TorchCrashHandler.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text C:\Users\Michael\AppData\Local\Torch\Update\TorchCrashHandler.exe[2516] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text C:\Users\Michael\AppData\Local\Torch\Update\TorchCrashHandler.exe[2516] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text C:\Users\Michael\AppData\Local\Torch\Update\TorchCrashHandler.exe[2516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077201465 2 bytes [20, 77] .text C:\Users\Michael\AppData\Local\Torch\Update\TorchCrashHandler.exe[2516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772014bb 2 bytes [20, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe[2544] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\ToolbarUpdater.exe[2544] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\loggingserver.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\loggingserver.exe[2612] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.4.0\loggingserver.exe[2612] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text C:\Windows\system32\conhost.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774a1530 5 bytes JMP 0000000077600128 .text C:\Windows\system32\conhost.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774a1650 5 bytes JMP 0000000077600018 .text C:\Windows\system32\conhost.exe[2620] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724db80 5 bytes JMP 00000000776000a0 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2672] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text C:\Windows\SysWOW64\Ctxfihlp.exe[2672] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2680] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2680] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077201465 2 bytes [20, 77] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[2680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772014bb 2 bytes [20, 77] .text ... * 2 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2688] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077201465 2 bytes [20, 77] .text C:\Program Files (x86)\AVG Web TuneUp\vprot.exe[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772014bb 2 bytes [20, 77] .text ... * 2 .text C:\Windows\SysWOW64\ctfmon.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text C:\Windows\SysWOW64\ctfmon.exe[3040] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text C:\Windows\SysWOW64\ctfmon.exe[3040] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text c:\postgreSQL\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text c:\postgreSQL\bin\postgres.exe[3132] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text c:\postgreSQL\bin\postgres.exe[3132] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text c:\postgreSQL\bin\postgres.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text c:\postgreSQL\bin\postgres.exe[3140] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text c:\postgreSQL\bin\postgres.exe[3140] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text c:\postgreSQL\bin\postgres.exe[3148] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text c:\postgreSQL\bin\postgres.exe[3148] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text c:\postgreSQL\bin\postgres.exe[3148] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text c:\postgreSQL\bin\postgres.exe[3156] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text c:\postgreSQL\bin\postgres.exe[3156] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text c:\postgreSQL\bin\postgres.exe[3156] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text C:\Windows\system32\SearchIndexer.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774a1530 5 bytes JMP 0000000077600128 .text C:\Windows\system32\SearchIndexer.exe[3304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774a1650 5 bytes JMP 0000000077600018 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774a1530 5 bytes JMP 0000000177440128 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774a1650 5 bytes JMP 0000000177440018 .text C:\Windows\system32\svchost.exe[3784] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724db80 5 bytes JMP 00000000774400a0 .text C:\Windows\SysWOW64\CTXFISPI.EXE[3976] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text C:\Windows\SysWOW64\CTXFISPI.EXE[3976] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text C:\Windows\SysWOW64\CTXFISPI.EXE[3976] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774a1530 5 bytes JMP 0000000177440128 .text C:\Windows\System32\svchost.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774a1650 5 bytes JMP 0000000177440018 .text C:\Windows\System32\svchost.exe[1900] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724db80 5 bytes JMP 00000000774400a0 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[4688] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[4688] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077201465 2 bytes [20, 77] .text C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe[4688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772014bb 2 bytes [20, 77] .text ... * 2 .text C:\Windows\system32\sppsvc.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000774a1530 5 bytes JMP 0000000077600128 .text C:\Windows\system32\sppsvc.exe[5400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774a1650 5 bytes JMP 0000000077600018 .text C:\Windows\system32\sppsvc.exe[5400] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007724db80 5 bytes JMP 00000000776000a0 .text E:\Vuze\2pmj5fo6.exe[5580] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007764fc50 5 bytes JMP 00000001720d1460 .text E:\Vuze\2pmj5fo6.exe[5580] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007764fe14 5 bytes JMP 00000001720d1120 .text E:\Vuze\2pmj5fo6.exe[5580] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075f23bbb 5 bytes JMP 00000001720d1260 ---- Files - GMER 2.1 ---- File C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00067f 25552 bytes File C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000680 1540145 bytes ---- EOF - GMER 2.1 ----