GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-24 01:31:11 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001e ST1000LM024_HN-M101MBB rev.2AR20004 931,51GB Running: gmer.exe; Driver: C:\Users\OOGAMA~1\AppData\Local\Temp\kxldqpod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000245200 15 bytes [00, 28, F6, 01, 80, 1C, 6C, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000245210 11 bytes [00, 0E, FC, FF, 00, 05, C4, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\winlogon.exe[788] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\services.exe[824] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\lsass.exe[832] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[912] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\dwm.exe[296] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\System32\svchost.exe[648] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[936] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\System32\svchost.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1180] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1208] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1232] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2012] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2012] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9d524169a 4 bytes [24, D5, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2012] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9d52416a2 4 bytes [24, D5, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2012] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9d524181a 4 bytes [24, D5, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2012] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9d5241832 4 bytes [24, D5, F9, 7F] .text C:\WINDOWS\system32\dashost.exe[2028] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[2880] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\Explorer.EXE[3584] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\taskhostex.exe[3616] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\SearchIndexer.exe[3304] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[3012] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\Windows\System32\igfxpers.exe[2280] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[140] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1172] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\splwow64.exe[3908] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\Program Files\BitComet\BitComet.exe[5792] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\taskhost.exe[6724] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\WLANExt.exe[6400] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\WLANExt.exe[6400] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9d524169a 4 bytes [24, D5, F9, 7F] .text C:\WINDOWS\system32\WLANExt.exe[6400] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9d52416a2 4 bytes [24, D5, F9, 7F] .text C:\WINDOWS\system32\WLANExt.exe[6400] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9d524181a 4 bytes [24, D5, F9, 7F] .text C:\WINDOWS\system32\WLANExt.exe[6400] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9d5241832 4 bytes [24, D5, F9, 7F] .text C:\WINDOWS\system32\conhost.exe[8436] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\DllHost.exe[7340] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] .text C:\WINDOWS\system32\AUDIODG.EXE[8752] C:\WINDOWS\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff9d496553d 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [744:7632] fffff96000994b90 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4364:4368] 0000000000d3121a Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4364:4492] 0000000000cfc020 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4364:4728] 0000000000c96fd0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4364:4732] 0000000000c97090 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4364:4736] 0000000000c979d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4364:4740] 0000000000c979d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4364:4744] 0000000000c979d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4364:5056] 0000000000b9bef0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\IePluginServices\PluginService.exe (*** suspicious ***) @ C:\ProgramData\IePluginServices\PluginService.exe [1544] 0000000000ea0000 Library C:\Program Files (x86)\Google\Update\Install\{6D50E7CA-FD88-466B-B813-257836255AE1}\39.0.2171.65_38.0.2125.111_chrome_updater.exe (*** suspicious ***) @ C:\Program Files (x86)\Google\Update\Install\{6D50E7CA-FD88-466B-B813-257836255AE1}\39.0.2171.65_38.0.2125. 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----