GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-06 19:04:40 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000029 Hitachi_HTS545050A7E380 rev.GG2OA7B0 465,76GB Running: g8p5236e.exe; Driver: C:\Users\Magda\AppData\Local\Temp\kgldqkog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\atiesrxx.exe[216] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Windows\system32\atiesrxx.exe[216] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] .text C:\Windows\system32\atieclxx.exe[1092] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Windows\system32\atieclxx.exe[1092] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] .text C:\Windows\system32\atieclxx.exe[1092] C:\Windows\system32\WSOCK32.dll!recvfrom + 742 000007fde34a1b32 4 bytes [4A, E3, FD, 07] .text C:\Windows\system32\atieclxx.exe[1092] C:\Windows\system32\WSOCK32.dll!recvfrom + 750 000007fde34a1b3a 4 bytes [4A, E3, FD, 07] .text C:\Windows\system32\WLANExt.exe[1360] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Windows\system32\WLANExt.exe[1360] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] .text C:\Windows\system32\WLANExt.exe[1360] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007fde2301532 4 bytes [30, E2, FD, 07] .text C:\Windows\system32\WLANExt.exe[1360] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007fde230153a 4 bytes [30, E2, FD, 07] .text C:\Windows\system32\WLANExt.exe[1360] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fde230165a 4 bytes [30, E2, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1720] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fde2301532 4 bytes [30, E2, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1720] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fde230153a 4 bytes [30, E2, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1720] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fde230165a 4 bytes [30, E2, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1720] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1720] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1720] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fde34a1b32 4 bytes [4A, E3, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1720] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fde34a1b3a 4 bytes [4A, E3, FD, 07] .text C:\Windows\system32\mfevtps.exe[1952] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Windows\system32\mfevtps.exe[1952] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2036] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2036] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2036] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fde2301532 4 bytes [30, E2, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2036] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fde230153a 4 bytes [30, E2, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2036] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fde230165a 4 bytes [30, E2, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[984] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fde2301532 4 bytes [30, E2, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[984] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fde230153a 4 bytes [30, E2, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[984] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fde230165a 4 bytes [30, E2, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3200] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fde2301532 4 bytes [30, E2, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3200] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fde230153a 4 bytes [30, E2, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3200] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fde230165a 4 bytes [30, E2, FD, 07] .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fde2301532 4 bytes [30, E2, FD, 07] .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fde230153a 4 bytes [30, E2, FD, 07] .text C:\Windows\System32\rundll32.exe[3712] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fde230165a 4 bytes [30, E2, FD, 07] .text C:\Windows\System32\igfxpers.exe[3376] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Windows\System32\igfxpers.exe[3376] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] .text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[5660] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[5660] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[6104] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[6104] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[6104] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fde2301532 4 bytes [30, E2, FD, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[6104] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fde230153a 4 bytes [30, E2, FD, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[6104] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fde230165a 4 bytes [30, E2, FD, 07] .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[3992] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[3992] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[3584] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fde922177a 4 bytes [22, E9, FD, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[3584] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fde9221782 4 bytes [22, E9, FD, 07] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!wcscat_s] [859c10ff0000000] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!swprintf_s] [480d7502fb83c3ff] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!_purecall] [8b48000075720d8b] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!memcmp] [8348c38b0852ff11] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!_onexit] [ccccccccc35b20c4] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!__dllonexit] [245c8948cccccccc] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!_unlock] [8b4820ec83485708] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!_lock] [79c10ff0ffcf83d9] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [c985483575cfff08] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!_initterm] [10841c74274] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!_amsg_exit] [ffff7948058d48c0] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!_XcptFilter] [4010c18348018948] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!__CxxFrameHandler3] [7988400a74287938] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!wcsncmp] [480000906915ff28] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!_callnewh] [926015ffcb8b] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z] [480d7501ff8312eb] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!malloc] [8b48000075020d8b] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!free] [8b48c78b1052ff11] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!memset] [ccccccccccccccc3] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!??0exception@@QEAA@XZ] [8d48c28b4cc88b4d] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!memmove_s] [9d56e9ffff789b15] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBD@Z] [ccccccccccccffff] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!??1exception@@UEAA@XZ] [4c89481024548948] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!??0exception@@QEAA@AEBV0@@Z] [4154415756530824] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!memcpy_s] [4838ec8348574156] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!atol] [fffffffe202444c7] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!?what@exception@@UEBAPEBDXZ] [f633e18b4cfa8b4c] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!vswprintf_s] [4003b80a75d28548] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!wcscpy_s] [48000000e5e98000] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!_vsnwprintf] [8007000ebe413289] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!_CxxThrowException] [8024b48944] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[msvcrt.dll!memcpy] [8824b48948] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ntdll.dll!EtwTraceMessage] [8948f88b48000091] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ntdll.dll!EtwGetTraceLoggerHandle] [3074c08548282444] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ntdll.dll!EtwGetTraceEnableLevel] [428d44d233087089] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ntdll.dll!EtwGetTraceEnableFlags] [3aa6e810488d4828] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ntdll.dll!EtwRegisterTraceGuidsW] [8d48387788400000] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ntdll.dll!EtwUnregisterTraceGuids] [78948ffff77cb05] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ntdll.dll!RtlVirtualUnwind] [48000074410d8b48] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ntdll.dll!RtlLookupFunctionEntry] [3eb900850ff018b] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ntdll.dll!RtlCaptureContext] [8824bc8948fe8b48] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ole32.dll!PropVariantClear] [8824bc8b4800] IAT C:\Windows\Explorer.EXE[3208] @ C:\Windows\System32\fdwcn.dll[ole32.dll!CoGetObject] [c085f08b44ffff99] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [664:688] fffff960009035e8 Thread [2100:4012] 000007fde8c11b90 Thread [2100:4800] 000007fdda361160 Thread [2100:4928] 000007fddddb5590 Thread [2100:5448] 000007fdde9ce5f0 Thread [2100:5880] 000007fdead1c7b0 Thread [2100:3344] 000007fdead1c7b0 Thread [2100:5840] 000007fdead1c7b0 Thread [2100:5672] 000007fdead1c7b0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----