GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-13 10:14:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\000000b3 ST500LM0 rev.0004 465.76GB Running: gmer.exe; Driver: C:\Users\fundowic\AppData\Local\Temp\kxloqaog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe[936] C:\WINDOWS\syswow64\kernel32.dll!CreateThread + 28 0000000075933491 4 bytes {CALL 0xffffffff8ab33c00} .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755c1401 2 bytes JMP 7595b233 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755c1419 2 bytes JMP 7595b35e C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755c1431 2 bytes JMP 759d9149 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755c144a 2 bytes CALL 75934885 C:\WINDOWS\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755c14dd 2 bytes JMP 759d8a42 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755c14f5 2 bytes JMP 759d8c18 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755c150d 2 bytes JMP 759d8938 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755c1525 2 bytes JMP 759d8d02 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755c153d 2 bytes JMP 7594fcc0 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755c1555 2 bytes JMP 75956907 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755c156d 2 bytes JMP 759d9201 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755c1585 2 bytes JMP 759d8d62 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755c159d 2 bytes JMP 759d88fc C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755c15b5 2 bytes JMP 7594fd59 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755c15cd 2 bytes JMP 7595b2f4 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755c16b2 2 bytes JMP 759d90c4 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files\McAfee\Agent\x86\macompatsvc.exe[3248] C:\WINDOWS\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755c16bd 2 bytes JMP 759d8891 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office15\lync.exe[4188] C:\WINDOWS\syswow64\ole32.dll!OleLoadFromStream 0000000076bc6113 5 bytes JMP 000000006e0397e7 .text C:\Program Files (x86)\Microsoft Office\Office15\lync.exe[4188] C:\WINDOWS\syswow64\USER32.dll!RegisterClipboardFormatW 0000000077589ecd 5 bytes JMP 000000006d878b4e .text C:\Program Files (x86)\Microsoft Office\Office15\lync.exe[4188] C:\WINDOWS\syswow64\USER32.dll!RegisterClipboardFormatA 0000000077590b0a 5 bytes JMP 000000006d87c831 .text C:\Program Files (x86)\Microsoft Office\Office15\lync.exe[4188] C:\WINDOWS\syswow64\USER32.dll!BeginPaint 0000000077591371 5 bytes JMP 000000006d88ac57 .text C:\Program Files (x86)\Microsoft Office\Office15\lync.exe[4188] C:\WINDOWS\syswow64\USER32.dll!ValidateRect 0000000077597859 5 bytes JMP 000000006da85ef2 .text C:\Program Files (x86)\Microsoft Office\Office15\lync.exe[4188] C:\WINDOWS\syswow64\OLEAUT32.dll!SysFreeString 0000000075883e59 5 bytes JMP 000000006d8b12c6 .text C:\Program Files (x86)\Microsoft Office\Office15\lync.exe[4188] C:\WINDOWS\syswow64\OLEAUT32.dll!VariantClear 0000000075883eae 5 bytes JMP 000000006d8d2a80 .text C:\Program Files (x86)\Microsoft Office\Office15\lync.exe[4188] C:\WINDOWS\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075884731 5 bytes JMP 000000006d959991 .text C:\Program Files (x86)\Microsoft Office\Office15\lync.exe[4188] C:\WINDOWS\syswow64\OLEAUT32.dll!VariantChangeType 0000000075885dee 5 bytes JMP 000000006d968929 .text C:\Program Files (x86)\Microsoft Office\Office15\lync.exe[4188] C:\WINDOWS\syswow64\SHELL32.dll!SHParseDisplayName 0000000075ca7e7b 5 bytes JMP 000000006d96abca .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\kernel32.dll!CreateThread + 28 0000000075933491 4 bytes {CALL 0xffffffff8b083480} .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 00000000755c1401 2 bytes JMP 7595b233 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!EnumProcessModules + 17 00000000755c1419 2 bytes JMP 7595b35e C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetModuleInformation + 17 00000000755c1431 2 bytes JMP 759d9149 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetModuleInformation + 42 00000000755c144a 2 bytes CALL 75934885 C:\WINDOWS\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000755c14dd 2 bytes JMP 759d8a42 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000755c14f5 2 bytes JMP 759d8c18 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 00000000755c150d 2 bytes JMP 759d8938 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 00000000755c1525 2 bytes JMP 759d8d02 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 00000000755c153d 2 bytes JMP 7594fcc0 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!EnumProcesses + 17 00000000755c1555 2 bytes JMP 75956907 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 00000000755c156d 2 bytes JMP 759d9201 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetPerformanceInfo + 17 00000000755c1585 2 bytes JMP 759d8d62 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!QueryWorkingSet + 17 00000000755c159d 2 bytes JMP 759d88fc C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000755c15b5 2 bytes JMP 7594fd59 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000755c15cd 2 bytes JMP 7595b2f4 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000755c16b2 2 bytes JMP 759d90c4 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4936] C:\WINDOWS\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000755c16bd 2 bytes JMP 759d8891 C:\WINDOWS\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFTips.exe[4040] C:\WINDOWS\syswow64\kernel32.dll!CreateThread + 28 0000000075933491 4 bytes {CALL 0xffffffffe3f1aa58} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\mfevtps.exe[2984] @ C:\WINDOWS\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13f372090] C:\WINDOWS\system32\mfevtps.exe ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\SysWOW64\svchost.exe [5520:5556] 00000000002d8b33 Thread C:\WINDOWS\SysWOW64\svchost.exe [5520:5560] 00000000002d8b33 Thread C:\WINDOWS\SysWOW64\svchost.exe [5520:5564] 00000000002d8b33 Thread C:\WINDOWS\SysWOW64\svchost.exe [5520:5568] 00000000002d8b33 Thread C:\WINDOWS\SysWOW64\svchost.exe [5520:5572] 00000000002d8b33 Thread C:\WINDOWS\SysWOW64\rundll32.exe [5592:5608] 00000000001d8b33 Thread C:\WINDOWS\SysWOW64\rundll32.exe [5592:5612] 00000000001d8b33 Thread C:\WINDOWS\SysWOW64\rundll32.exe [5592:5616] 00000000001d8b33 Thread C:\WINDOWS\SysWOW64\rundll32.exe [5592:5620] 00000000001d8b33 Thread C:\WINDOWS\SysWOW64\rundll32.exe [5592:5624] 00000000001d8b33 Thread C:\WINDOWS\SysWOW64\rundll32.exe [5488:3340] 0000000001da8b33 Thread C:\WINDOWS\SysWOW64\rundll32.exe [5488:432] 0000000001da8b33 Thread C:\WINDOWS\SysWOW64\rundll32.exe [5488:1236] 0000000001da8b33 Thread C:\WINDOWS\SysWOW64\rundll32.exe [5488:5724] 0000000001da8b33 Thread C:\WINDOWS\SysWOW64\rundll32.exe [5488:4952] 0000000001da8b33 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 Windows 7 default MBR code found via API Disk \Device\Harddisk0\DR0 unknown MBR code Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.2 ----