GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-09 23:16:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005b TOSHIBA_ rev.GJ00 298.09GB Running: l9vmdulz.exe; Driver: C:\Users\MILENK~1\AppData\Local\Temp\aglyiuog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 616 fffff96000114d04 8 bytes [40, 42, C4, 03, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000143f00 7 bytes [40, 9D, F3, FF, 01, AB, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000143f08 3 bytes [C0, 06, 02] .text ... * 115 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 440 fffff96000202b78 6 bytes {JMP QWORD [RIP-0xb35e6]} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\system32\services.exe[608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[920] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[456] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1184] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[1636] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007646a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[1724] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe[1812] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007646a2ba 1 byte [62] .text C:\Program Files (x86)\findopolis\updatefindopolis.exe[1856] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007646a2ba 1 byte [62] .text C:\Program Files (x86)\findopolis\bin\utilfindopolis.exe[1384] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007646a2ba 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2428] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3344] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe[3764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe[3960] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007646a2ba 1 byte [62] .text C:\Users\milenka21\AppData\Local\WeatherAlerts\WeatherAlerts.exe[4056] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe[3532] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007646a2ba 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe[3484] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3824] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076448769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3824] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007646a2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077001465 2 bytes [00, 77] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770014bb 2 bytes [00, 77] .text ... * 2 .text C:\Program Files (x86)\ver3BlockAndSurf\BlockAndSurf.exe[3860] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007646a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[3944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe[1336] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[3984] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007646a2ba 1 byte [62] .text C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe[2076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe[4228] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text C:\Windows\notepad.exe[2612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c8eecd 1 byte [62] .text D:\l9vmdulz.exe[2792] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007646a2ba 1 byte [62] ---- Threads - GMER 2.1 ---- Thread [336:344] 0000000076e6fbf0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3216:3052] 000007fefb322a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3216:2552] 000007feea67d618 ---- EOF - GMER 2.1 ----