GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-15 19:20:11 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AC1 465,76GB Running: nc185qui.exe; Driver: C:\Users\Dorota\AppData\Local\Temp\kwrdrpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 666 fffff8000440508a 7 bytes [00, 00, 00, 00, 00, 00, 03] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 674 fffff80004405092 6 bytes [00, 00, 80, FA, FF, FF] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\wininit.exe[612] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\services.exe[676] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\winlogon.exe[748] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\svchost.exe[848] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\nvvsvc.exe[928] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\System32\svchost.exe[324] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\System32\svchost.exe[424] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\svchost.exe[536] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\svchost.exe[632] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\svchost.exe[1124] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\nvvsvc.exe[1304] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\Dwm.exe[1576] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\Explorer.EXE[1584] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\System32\spoolsv.exe[1752] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\taskhost.exe[1768] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\svchost.exe[1832] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[1648] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1708] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe[1056] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2132] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2280] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\windows\SysWOW64\rundll32.exe[2312] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2344] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2448] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\SysWOW64\Rezip.exe[2528] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2568] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2756] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2780] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[2908] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\windows\system32\svchost.exe[2228] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\Program Files (x86)\blueconnect\AssistantServices.exe[2564] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2164] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\Program Files (x86)\blueconnect\UIExec.exe[2744] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[2768] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c91465 2 bytes [C9, 74] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c914bb 2 bytes [C9, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\IntelAppStore\bin\serviceManager.exe[3044] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files (x86)\Intel\IntelAppStore\bin\serviceManager.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c91465 2 bytes [C9, 74] .text C:\Program Files (x86)\Intel\IntelAppStore\bin\serviceManager.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c914bb 2 bytes [C9, 74] .text ... * 2 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[2108] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1568] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3532] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\windows\system32\SearchIndexer.exe[3684] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\windows\system32\svchost.exe[4112] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4440] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e6eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Corel\Standby\Standby.exe[5056] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\windows\SysWOW64\ctfmon.exe[4072] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] .text C:\Users\Dorota\Desktop\fixit\gmer\nc185qui.exe[3840] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000761aa2ba 1 byte [62] ---- Processes - GMER 2.1 ---- Library C:\Users\Dorota\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [1584] (Dropbox Shell Extension/Dropbox, Inc.)(2011-02-18 05:12:20) 0000000010000000 Library C:\Users\Dorota\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll (*** suspicious ***) @ C:\windows\explorer.exe [4100] (Dropbox Shell Extension/Dropbox, Inc.)(2011-02-18 05:12:20) 0000000010000000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654eb87 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654edff Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f56e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f652 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b66b6864 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b66b6982 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbca0bca Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbca0bca@c87e755203f7 0x4B 0x77 0xEB 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 22088 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x82 0xAB 0x44 0x2B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654eb87 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654edff (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f56e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f652 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b66b6864 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b66b6982 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbca0bca (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbca0bca@c87e755203f7 0x4B 0x77 0xEB 0x51 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x82 0xAB 0x44 0x2B ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----