GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-10 22:49:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 WDC_WD15EADS-00W4B0 rev.01.00A01 1397,27GB Running: ze4sqtf7.exe; Driver: C:\Users\User\AppData\Local\Temp\kwtdapoc.sys ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\ProgramData\FlashBeat\ColorMedia.exe[492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\ProgramData\FlashBeat\ColorMedia.exe[492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\Program Files (x86)\XTab\ProtectService.exe[2124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\Program Files (x86)\XTab\ProtectService.exe[2124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2484] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000071de1a22 2 bytes [DE, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2484] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000071de1ad0 2 bytes [DE, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2484] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000071de1b08 2 bytes [DE, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2484] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000071de1bba 2 bytes [DE, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2484] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000071de1bda 2 bytes [DE, 71] .text C:\Program Files (x86)\WordProser_1.10.0.6\Service\wpsvc.exe[2112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\Program Files (x86)\WordProser_1.10.0.6\Service\wpsvc.exe[2112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\ProgramData\dxVxGuHPl\AgBiIIZZKM.exe[2480] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\ProgramData\dxVxGuHPl\AgBiIIZZKM.exe[2480] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3772] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\Program Files (x86)\XTab\HPNotify.exe[1140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\Program Files (x86)\XTab\HPNotify.exe[1140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[180] C:\Windows\system32\kernel32.dll!SetFileCompletionNotificationModes 0000000077640880 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Users\User\AppData\Local\ConvertAd\ConvertAd.exe[5376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\Users\User\AppData\Local\ConvertAd\ConvertAd.exe[5376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\Users\User\AppData\Local\wincheck\wincheck.exe[6680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\Users\User\AppData\Local\wincheck\wincheck.exe[6680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 .text C:\Program Files (x86)\G Data\InternetSecurity\Firewall\GDFirewallTray.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756c1465 2 bytes [6C, 75] .text C:\Program Files (x86)\G Data\InternetSecurity\Firewall\GDFirewallTray.exe[4644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756c14bb 2 bytes [6C, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\services.exe [528:2952] 0000000001c2ef60 Thread C:\Windows\system32\services.exe [528:3004] 0000000001c2ef60 Thread C:\Windows\system32\services.exe [528:1404] 0000000001c2ef60 Thread C:\Windows\system32\services.exe [528:3020] 0000000001c2ef60 Thread C:\Windows\system32\services.exe [528:3848] 0000000001c2ef60 Thread C:\Windows\system32\services.exe [528:2732] 0000000001c2ef60 Thread C:\Windows\system32\svchost.exe [824:868] 00000000002bef60 Thread C:\Windows\system32\svchost.exe [824:872] 00000000002bef60 Thread C:\Windows\system32\svchost.exe [824:876] 00000000002bef60 Thread C:\Windows\system32\svchost.exe [824:880] 00000000002bef60 Thread C:\Windows\system32\svchost.exe [824:884] 00000000002bef60 Thread C:\Windows\system32\svchost.exe [824:888] 00000000002bef60 Thread C:\Windows\system32\svchost.exe [808:1564] 00000000013bef60 Thread C:\Windows\system32\svchost.exe [808:1568] 00000000013bef60 Thread C:\Windows\system32\svchost.exe [808:1572] 00000000013bef60 Thread C:\Windows\system32\svchost.exe [808:1576] 00000000013bef60 Thread C:\Windows\system32\svchost.exe [808:1580] 00000000013bef60 Thread C:\Windows\system32\svchost.exe [808:1584] 00000000013bef60 Thread C:\Windows\System32\spoolsv.exe [1712:5920] 00000000002fef60 Thread C:\Windows\System32\spoolsv.exe [1712:5924] 00000000002fef60 Thread C:\Windows\System32\spoolsv.exe [1712:5928] 00000000002fef60 Thread C:\Windows\System32\spoolsv.exe [1712:5932] 00000000002fef60 Thread C:\Windows\System32\spoolsv.exe [1712:5936] 00000000002fef60 Thread C:\Windows\System32\spoolsv.exe [1712:5940] 00000000002fef60 Thread C:\Windows\system32\svchost.exe [1740:4540] 00000000014eef60 Thread C:\Windows\system32\svchost.exe [1740:4544] 00000000014eef60 Thread C:\Windows\system32\svchost.exe [1740:4548] 00000000014eef60 Thread C:\Windows\system32\svchost.exe [1740:4552] 00000000014eef60 Thread C:\Windows\system32\svchost.exe [1740:4556] 00000000014eef60 Thread C:\Windows\system32\svchost.exe [1740:4560] 00000000014eef60 Thread C:\Windows\System32\svchost.exe [4744:6136] 000007fef39e9688 Thread C:\Windows\system32\svchost.exe [4828:4896] 000000000055ef60 Thread C:\Windows\system32\svchost.exe [4828:4900] 000000000055ef60 Thread C:\Windows\system32\svchost.exe [4828:4904] 000000000055ef60 Thread C:\Windows\system32\svchost.exe [4828:4908] 000000000055ef60 Thread C:\Windows\system32\svchost.exe [4828:4912] 000000000055ef60 Thread C:\Windows\system32\svchost.exe [4828:4916] 000000000055ef60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4228:5008] 000000000133ef60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4228:2472] 000000000133ef60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4228:832] 000000000133ef60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4228:5068] 000000000133ef60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4228:3344] 000000000133ef60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4228:5000] 000000000133ef60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4228:4808] 000000000135e310 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4228:5088] 000000000135e310 Thread C:\Windows\System32\svchost.exe [6964:7092] 00000000005cef60 Thread C:\Windows\System32\svchost.exe [6964:7096] 00000000005cef60 Thread C:\Windows\System32\svchost.exe [6964:7100] 00000000005cef60 Thread C:\Windows\System32\svchost.exe [6964:7104] 00000000005cef60 Thread C:\Windows\System32\svchost.exe [6964:7108] 00000000005cef60 Thread C:\Windows\System32\svchost.exe [6964:7112] 00000000005cef60 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\FlashBeat\ColorMedia.exe (*** suspicious ***) @ C:\ProgramData\FlashBeat\ColorMedia.exe [492] (Over the Rainbow Tech)(2015-02-09 10:02:40 0000000000400000 Library C:\ProgramData\FlashBeat\ColorMediaCrt.dll (*** suspicious ***) @ C:\ProgramData\FlashBeat\ColorMedia.exe [492] (Over the Rainbow Tech)(2015-02-09 10 0000000000470000 Library C:\ProgramData\FlashBeat\libnspr4.dll (*** suspicious ***) @ C:\ProgramData\FlashBeat\ColorMedia.exe [492] (NSPR Library/Mozilla Foundation)(2015-01-04 11 0000000071df0000 Library C:\ProgramData\FlashBeat\nss3.dll (*** suspicious ***) @ C:\ProgramData\FlashBeat\ColorMedia.exe [492] (NSS Base Library/Mozilla Foundation)(2015-01-04 11:13: 0000000071ac0000 Library C:\ProgramData\FlashBeat\nssutil3.dll (*** suspicious ***) @ C:\ProgramData\FlashBeat\ColorMedia.exe [492] (NSS Utility Library/Mozilla Foundation)(2015-0 0000000071a90000 Library C:\ProgramData\FlashBeat\libplc4.dll (*** suspicious ***) @ C:\ProgramData\FlashBeat\ColorMedia.exe [492] (PLC Library/Mozilla Foundation)(2015-01-04 11:13 0000000071a50000 Library C:\ProgramData\FlashBeat\libplds4.dll (*** suspicious ***) @ C:\ProgramData\FlashBeat\ColorMedia.exe [492] (PLDS Library/Mozilla Foundation)(2015-01-04 11 0000000071a40000 Library C:\ProgramData\FlashBeat\smime3.dll (*** suspicious ***) @ C:\ProgramData\FlashBeat\ColorMedia.exe [492] (NSS S/MIME Library/Mozilla Foundation)(2015-01-04 0000000071940000 Library C:\ProgramData\FlashBeat\freebl3.dll (*** suspicious ***) @ C:\ProgramData\FlashBeat\ColorMedia.exe [492] (NSS freebl Library/Mozilla Foundation)(2015-01-0 000000006f490000 Process C:\ProgramData\FlashBeat\FlashBeat.exe (*** suspicious ***) @ C:\ProgramData\FlashBeat\FlashBeat.exe [2084](2015-02-09 10:02:40) 0000000000400000 Process C:\Users\User\AppData\Roaming\ASPackage\ASSrv.exe (*** suspicious ***) @ C:\Users\User\AppData\Roaming\ASPackage\ASSrv.exe [2508](2 0000000000eb0000 Process C:\Users\User\AppData\Local\ConvertAd\CASrv.exe (*** suspicious ***) @ C:\Users\User\AppData\Local\ConvertAd\CASrv.exe [2532](2015-02-0 00000000002a0000 Process C:\Users\User\AppData\Local\ConvertAd\ConvertAd.exe (*** suspicious ***) @ C:\Users\User\AppData\Local\ConvertAd\ConvertAd.exe [5376](2015-02-09 10:53:38) 0000000001200000 Process C:\Users\User\AppData\Local\wincheck\wincheck.exe (*** suspicious ***) @ C:\Users\User\AppData\Local\wincheck\wincheck.exe [6680](2 00000000010b0000 Process C:\Users\User\AppData\Roaming\ASPackage\ASPackage.exe (*** suspicious ***) @ C:\Users\User\AppData\Roaming\ASPackage\ASPackage.exe [8188] (FILE NOT FOUND) 0000000000400000 Library C:\Users\User\AppData\Local\Temp\nsw60F5.tmp\System.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\ASPackage\ASPackage.exe [8188](2015-02-10 20:55:17) 0000000010000000 Library C:\Users\User\AppData\Local\Temp\nsw60F5.tmp\IpConfig.dll (*** suspicious ***) @ C:\Users\User\AppData\Roaming\ASPackage\ASPackage.exe [8188](2015-02-10 20:55:29) 0000000001d90000 ---- EOF - GMER 2.1 ----