GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-06 23:53:08 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000046 HGST_HTS541010A9E680 rev.JA0OA560 931,51GB Running: fz1ebd7n.exe; Driver: C:\Users\MUMIA_~1\AppData\Local\Temp\kwroapog.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\wininit.exe[736] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\csrss.exe[752] C:\windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\winlogon.exe[796] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\services.exe[836] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\lsass.exe[844] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\svchost.exe[952] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\nvvsvc.exe[1008] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\svchost.exe[360] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\System32\svchost.exe[420] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\svchost.exe[508] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\dwm.exe[832] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\svchost.exe[608] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\System32\svchost.exe[664] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[1060] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fd81d31532 4 bytes [D3, 81, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fd81d3153a 4 bytes [D3, 81, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fd81d3165a 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\nvvsvc.exe[1156] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\nvvsvc.exe[1156] C:\windows\system32\MSIMG32.dll!GradientFill + 690 000007fd81d31532 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\nvvsvc.exe[1156] C:\windows\system32\MSIMG32.dll!GradientFill + 698 000007fd81d3153a 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\nvvsvc.exe[1156] C:\windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fd81d3165a 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\nvvsvc.exe[1156] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd8589177a 4 bytes [89, 85, FD, 07] .text C:\windows\system32\nvvsvc.exe[1156] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd85891782 4 bytes [89, 85, FD, 07] .text C:\windows\system32\svchost.exe[1300] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\WLANExt.exe[1432] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\WLANExt.exe[1432] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd8589177a 4 bytes [89, 85, FD, 07] .text C:\windows\system32\WLANExt.exe[1432] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd85891782 4 bytes [89, 85, FD, 07] .text C:\windows\system32\WLANExt.exe[1432] C:\windows\system32\MSIMG32.dll!GradientFill + 690 000007fd81d31532 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\WLANExt.exe[1432] C:\windows\system32\MSIMG32.dll!GradientFill + 698 000007fd81d3153a 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\WLANExt.exe[1432] C:\windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fd81d3165a 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\conhost.exe[1452] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\PasswordUtility\GFNEXSrv.exe[1720] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\System32\spoolsv.exe[1888] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\svchost.exe[1916] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\taskeng.exe[2232] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\taskhostex.exe[2248] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\Explorer.EXE[2256] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\Explorer.EXE[2256] C:\windows\system32\MSIMG32.dll!GradientFill + 690 000007fd81d31532 4 bytes [D3, 81, FD, 07] .text C:\windows\Explorer.EXE[2256] C:\windows\system32\MSIMG32.dll!GradientFill + 698 000007fd81d3153a 4 bytes [D3, 81, FD, 07] .text C:\windows\Explorer.EXE[2256] C:\windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fd81d3165a 4 bytes [D3, 81, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2916] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2916] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fd81d31532 4 bytes [D3, 81, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2916] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fd81d3153a 4 bytes [D3, 81, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2916] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fd81d3165a 4 bytes [D3, 81, FD, 07] .text C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe[2528] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\dashost.exe[2552] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2480] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2480] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fd81d31532 4 bytes [D3, 81, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2480] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fd81d3153a 4 bytes [D3, 81, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2480] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fd81d3165a 4 bytes [D3, 81, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2480] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd8589177a 4 bytes [89, 85, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2480] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd85891782 4 bytes [89, 85, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2480] C:\windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fd76e41b32 4 bytes [E4, 76, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2480] C:\windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fd76e41b3a 4 bytes [E4, 76, FD, 07] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2108] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[3156] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[3156] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd8589177a 4 bytes [89, 85, FD, 07] .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[3156] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd85891782 4 bytes [89, 85, FD, 07] .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[3336] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3360] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3360] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd8589177a 4 bytes [89, 85, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3360] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd85891782 4 bytes [89, 85, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3360] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fd81d31532 4 bytes [D3, 81, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3360] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fd81d3153a 4 bytes [D3, 81, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3360] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fd81d3165a 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\svchost.exe[3384] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\ThpSrv.exe[3452] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Windows\system32\TODDSrv.exe[3488] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3972] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3972] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fd81d31532 4 bytes [D3, 81, FD, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3972] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fd81d3153a 4 bytes [D3, 81, FD, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3972] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fd81d3165a 4 bytes [D3, 81, FD, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3972] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd8589177a 4 bytes [89, 85, FD, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3972] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd85891782 4 bytes [89, 85, FD, 07] .text C:\Program Files\TOSHIBA\Teco\TecoService.exe[4068] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\svchost.exe[4104] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\wbem\unsecapp.exe[4464] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exe[4700] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\wbem\wmiprvse.exe[4824] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\wbem\wmiprvse.exe[4824] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd8589177a 4 bytes [89, 85, FD, 07] .text C:\windows\system32\wbem\wmiprvse.exe[4824] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd85891782 4 bytes [89, 85, FD, 07] .text C:\windows\system32\wbem\wmiprvse.exe[4824] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fd81d31532 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\wbem\wmiprvse.exe[4824] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fd81d3153a 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\wbem\wmiprvse.exe[4824] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fd81d3165a 4 bytes [D3, 81, FD, 07] .text C:\windows\system32\wbem\wmiprvse.exe[4832] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\svchost.exe[5040] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\System32\svchost.exe[5076] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\SearchIndexer.exe[3856] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\DllHost.exe[5588] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Windows\System32\RuntimeBroker.exe[5656] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5996] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5996] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd8589177a 4 bytes [89, 85, FD, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[5996] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd85891782 4 bytes [89, 85, FD, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[6128] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[6128] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd8589177a 4 bytes [89, 85, FD, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[6128] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd85891782 4 bytes [89, 85, FD, 07] .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[5140] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[5364] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\windows\system32\AUDIODG.EXE[6588] C:\windows\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[6696] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fd871bf7eb 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[6696] C:\windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fd76e41b32 4 bytes [E4, 76, FD, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[6696] C:\windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fd76e41b3a 4 bytes [E4, 76, FD, 07] ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\csrss.exe [752:776] fffff960008185e8 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----