GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-18 21:57:51 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000068 ATA_____ rev.2J__ 465.76GB Running: ld37ct3v.exe; Driver: C:\Users\Kloc\AppData\Local\Temp\pwldqpog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\SearchIndexer.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077691590 5 bytes JMP 0000000177630128 .text C:\Windows\system32\SearchIndexer.exe[2720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776916b0 5 bytes JMP 0000000177630018 .text C:\Windows\system32\SearchIndexer.exe[2720] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772de750 5 bytes JMP 00000000776300a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe[3864] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2856] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[2856] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3852] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[3852] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Windows\AsScrPro.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Windows\AsScrPro.exe[2936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Windows\AsScrPro.exe[2936] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077691590 5 bytes JMP 0000000177630128 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[4120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776916b0 5 bytes JMP 0000000177630018 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[4120] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772de750 5 bytes JMP 00000000776300a0 .text C:\Windows\system32\svchost.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077691590 5 bytes JMP 0000000177630128 .text C:\Windows\system32\svchost.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776916b0 5 bytes JMP 0000000177630018 .text C:\Windows\system32\svchost.exe[4140] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772de750 5 bytes JMP 00000000776300a0 .text C:\Windows\system32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077691590 5 bytes JMP 0000000177630128 .text C:\Windows\system32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776916b0 5 bytes JMP 0000000177630018 .text C:\Windows\system32\svchost.exe[4220] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772de750 5 bytes JMP 00000000776300a0 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077691590 5 bytes JMP 0000000177630128 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776916b0 5 bytes JMP 0000000177630018 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[4360] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772de750 5 bytes JMP 00000000776300a0 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4568] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4568] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4924] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4924] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4924] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075831465 2 bytes [83, 75] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[4924] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000758314bb 2 bytes [83, 75] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4932] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4932] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\updateui.exe[2492] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\updateui.exe[2492] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\updateui.exe[2492] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Windows\SysWOW64\ctfmon.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Windows\SysWOW64\ctfmon.exe[5460] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Windows\SysWOW64\ctfmon.exe[5460] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5848] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5848] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Windows\sysWOW64\wbem\wmiprvse.exe[5848] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[6560] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[6560] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6664] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6664] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Windows\system32\sppsvc.exe[6692] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077691590 5 bytes JMP 0000000177630128 .text C:\Windows\system32\sppsvc.exe[6692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776916b0 5 bytes JMP 0000000177630018 .text C:\Windows\system32\sppsvc.exe[6692] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 00000000772de750 5 bytes JMP 00000000776300a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6808] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6808] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6808] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075831465 2 bytes [83, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758314bb 2 bytes [83, 75] .text ... * 2 .text C:\Users\Kloc\Downloads\ld37ct3v.exe[7056] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007783fc30 5 bytes JMP 0000000170ec1460 .text C:\Users\Kloc\Downloads\ld37ct3v.exe[7056] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007783fdf4 5 bytes JMP 0000000170ec1120 .text C:\Users\Kloc\Downloads\ld37ct3v.exe[7056] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000075db3bc3 5 bytes JMP 0000000170ec1260 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001023e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001023c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001024654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001024a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010248ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8003fea2c0 Device \FileSystem\fastfat \Fat fffffa8007bea2c0 Device \Driver\iaStorA \Device\00000068 fffffa800368b2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006a0f2c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa800368b2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006a0f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{90491E43-BC97-4B3D-BD6E-2515B2BCC30D} fffffa80067172c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006a0f2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80067172c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa800368b2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006a0f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{7B761F38-AE4D-4B81-9C53-99B985B313F8} fffffa80067172c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [6324:6332] 0000000077873e45 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [6324:6336] 0000000077873e45 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [6324:6340] 0000000075847587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [6324:6344] 0000000065be0cb3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [6324:6356] 0000000077872e25 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [6324:7156] 0000000077873e45 ---- Processes - GMER 2.1 ---- Library c:\users\kloc\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpydv4iv.dll (*** suspicious ***) @ C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [4924](2015-06-18 19:49:12) 0000000004ae0000