GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-10 20:32:55 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 ST1000LM024_HN-M101MBB rev.2AR20002 931,51GB Running: tnl4i4tm — kopia.exe; Driver: C:\Users\lenovo\AppData\Local\Temp\kxlorpow.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\WLANExt.exe[1396] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fe732f177a 4 bytes [2F, 73, FE, 07] .text C:\windows\system32\WLANExt.exe[1396] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fe732f1782 4 bytes [2F, 73, FE, 07] .text C:\windows\system32\WLANExt.exe[1396] C:\windows\system32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\windows\system32\WLANExt.exe[1396] C:\windows\system32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\windows\system32\WLANExt.exe[1396] C:\windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1828] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1828] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1828] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1828] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fe732f177a 4 bytes [2F, 73, FE, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1828] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fe732f1782 4 bytes [2F, 73, FE, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1828] C:\windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fe690b1b32 4 bytes [0B, 69, FE, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1828] C:\windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fe690b1b3a 4 bytes [0B, 69, FE, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2108] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fe732f177a 4 bytes [2F, 73, FE, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2108] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fe732f1782 4 bytes [2F, 73, FE, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2108] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2108] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2108] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2368] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2368] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2368] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2368] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fe732f177a 4 bytes [2F, 73, FE, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2368] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fe732f1782 4 bytes [2F, 73, FE, 07] .text C:\windows\system32\wbem\wmiprvse.exe[3368] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fe732f177a 4 bytes [2F, 73, FE, 07] .text C:\windows\system32\wbem\wmiprvse.exe[3368] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fe732f1782 4 bytes [2F, 73, FE, 07] .text C:\windows\system32\wbem\wmiprvse.exe[3368] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\windows\system32\wbem\wmiprvse.exe[3368] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\windows\system32\wbem\wmiprvse.exe[3368] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\windows\Explorer.EXE[3212] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\windows\Explorer.EXE[3212] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\windows\Explorer.EXE[3212] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4120] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4120] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4120] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Windows\System32\igfxpers.exe[2336] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fe732f177a 4 bytes [2F, 73, FE, 07] .text C:\Windows\System32\igfxpers.exe[2336] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fe732f1782 4 bytes [2F, 73, FE, 07] .text C:\Windows\RTFTrack.exe[3968] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\Windows\RTFTrack.exe[3968] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\Windows\RTFTrack.exe[3968] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1916] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1916] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1916] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1112] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1112] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1112] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Windows\System32\rundll32.exe[1596] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\Windows\System32\rundll32.exe[1596] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\Windows\System32\rundll32.exe[1596] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[1576] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[1576] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe[1576] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4740] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fe6af11532 4 bytes [F1, 6A, FE, 07] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4740] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fe6af1153a 4 bytes [F1, 6A, FE, 07] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[4740] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fe6af1165a 4 bytes [F1, 6A, FE, 07] ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\csrss.exe [780:804] fffff960009015e8 Thread C:\windows\SYSTEM32\ntdll.dll [2012:2016] 0000000000d01c94 Thread C:\windows\SYSTEM32\ntdll.dll [2012:2672] 000000007302e767 Thread C:\windows\SYSTEM32\ntdll.dll [2012:3660] 0000000071273841 Thread C:\windows\SYSTEM32\ntdll.dll [2012:3664] 0000000071273841 Thread C:\windows\SYSTEM32\ntdll.dll [2012:3668] 0000000071273841 Thread C:\windows\SYSTEM32\ntdll.dll [2012:3700] 00000000711a3189 Thread C:\windows\SYSTEM32\ntdll.dll [2012:3704] 0000000070fa0b79 Thread C:\windows\SYSTEM32\ntdll.dll [2012:6096] 000000006e7916dc ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----