GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-29 15:27:42 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001c ST1000LM024_HN-M101MBB rev.2AR20002 931,51GB Running: 9dgp17qs.exe; Driver: C:\Users\Laura\AppData\Local\Temp\kxtdapob.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff34f3169a 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff34f316a2 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff34f3181a 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff34f31832 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\system32\atieclxx.exe[400] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff34f3169a 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\system32\atieclxx.exe[400] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff34f316a2 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\system32\atieclxx.exe[400] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff34f3181a 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\system32\atieclxx.exe[400] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff34f31832 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1608] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff34f3169a 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1608] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff34f316a2 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1608] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff34f3181a 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1608] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff34f31832 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1464] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007fff34f3169a 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1464] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007fff34f316a2 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1464] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007fff34f3181a 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1464] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007fff34f31832 4 bytes [F3, 34, FF, 7F] .text C:\Program Files (x86)\SmarterPower\bin\SmarterPower.PurBrowse64.exe[2716] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff34f3169a 4 bytes [F3, 34, FF, 7F] .text C:\Program Files (x86)\SmarterPower\bin\SmarterPower.PurBrowse64.exe[2716] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff34f316a2 4 bytes [F3, 34, FF, 7F] .text C:\Program Files (x86)\SmarterPower\bin\SmarterPower.PurBrowse64.exe[2716] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff34f3181a 4 bytes [F3, 34, FF, 7F] .text C:\Program Files (x86)\SmarterPower\bin\SmarterPower.PurBrowse64.exe[2716] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff34f31832 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\Explorer.EXE[1884] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff34f3169a 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\Explorer.EXE[1884] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff34f316a2 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\Explorer.EXE[1884] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff34f3181a 4 bytes [F3, 34, FF, 7F] .text C:\WINDOWS\Explorer.EXE[1884] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff34f31832 4 bytes [F3, 34, FF, 7F] .text C:\Program Files (x86)\SmarterPower\bin\SmarterPower.BrowserAdapter64.exe[3028] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff34f3169a 4 bytes [F3, 34, FF, 7F] .text C:\Program Files (x86)\SmarterPower\bin\SmarterPower.BrowserAdapter64.exe[3028] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff34f316a2 4 bytes [F3, 34, FF, 7F] .text C:\Program Files (x86)\SmarterPower\bin\SmarterPower.BrowserAdapter64.exe[3028] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff34f3181a 4 bytes [F3, 34, FF, 7F] .text C:\Program Files (x86)\SmarterPower\bin\SmarterPower.BrowserAdapter64.exe[3028] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff34f31832 4 bytes [F3, 34, FF, 7F] .text C:\Windows\RTFTrack.exe[4060] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff34f3169a 4 bytes [F3, 34, FF, 7F] .text C:\Windows\RTFTrack.exe[4060] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff34f316a2 4 bytes [F3, 34, FF, 7F] .text C:\Windows\RTFTrack.exe[4060] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff34f3181a 4 bytes [F3, 34, FF, 7F] .text C:\Windows\RTFTrack.exe[4060] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff34f31832 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[316] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff34f3169a 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[316] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff34f316a2 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[316] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff34f3181a 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[316] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff34f31832 4 bytes [F3, 34, FF, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[316] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007fff2e701f6a 4 bytes [70, 2E, FF, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[316] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007fff2e701f82 4 bytes [70, 2E, FF, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [584:600] fffff960008ebb90 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\IePluginServices\PluginService.exe (*** suspicious ***) @ C:\ProgramData\IePluginServices\PluginService.exe [1260] (IePlugin Service/Cherished Technololgy LIMITED)(2014-09-16 06:40:11) 0000000000ef0000 Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1328] (WindowsProtectManger Service/Fuyu LIMITED)(2014-09-16 06:39:55) 0000000000a80000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62\System.Numerics.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [4280] 0000000066d20000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----