GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-15 13:16:17 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 SAMSUNG_MZMTD128HAFV-000L1 rev.DXT42L0Q 119,24GB Running: 7dqeosck.exe; Driver: C:\Users\AGNIES~1\AppData\Local\Temp\kxlorpow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DptfPolicyLpmService.exe[1904] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd4b18177a 4 bytes [18, 4B, FD, 07] .text C:\WINDOWS\system32\DptfPolicyLpmService.exe[1904] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd4b181782 4 bytes [18, 4B, FD, 07] .text C:\WINDOWS\system32\mfevtps.exe[1592] C:\WINDOWS\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fd4b18177a 4 bytes [18, 4B, FD, 07] .text C:\WINDOWS\system32\mfevtps.exe[1592] C:\WINDOWS\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fd4b181782 4 bytes [18, 4B, FD, 07] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[2436] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd4b18177a 4 bytes [18, 4B, FD, 07] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[2436] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd4b181782 4 bytes [18, 4B, FD, 07] .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[3396] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fd38da1532 4 bytes [DA, 38, FD, 07] .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[3396] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fd38da153a 4 bytes [DA, 38, FD, 07] .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe[3396] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fd38da165a 4 bytes [DA, 38, FD, 07] .text C:\WINDOWS\Explorer.EXE[3892] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fd38da1532 4 bytes [DA, 38, FD, 07] .text C:\WINDOWS\Explorer.EXE[3892] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fd38da153a 4 bytes [DA, 38, FD, 07] .text C:\WINDOWS\Explorer.EXE[3892] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fd38da165a 4 bytes [DA, 38, FD, 07] .text C:\Windows\System32\igfxpers.exe[816] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fd4b18177a 4 bytes [18, 4B, FD, 07] .text C:\Windows\System32\igfxpers.exe[816] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fd4b181782 4 bytes [18, 4B, FD, 07] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5012] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fd38da1532 4 bytes [DA, 38, FD, 07] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5012] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fd38da153a 4 bytes [DA, 38, FD, 07] .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5012] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fd38da165a 4 bytes [DA, 38, FD, 07] .text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[5344] C:\WINDOWS\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fd4b18177a 4 bytes [18, 4B, FD, 07] .text C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe[5344] C:\WINDOWS\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fd4b181782 4 bytes [18, 4B, FD, 07] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [592:632] fffff9600091b5e8 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\YogaSmartSwicth\Server\x64\Windows7.SensorAndLocation.dll (*** suspicious ***) @ C:\ProgramData\YogaSmartSwicth\Server\x64\ymc.exe [2248] (FILE NOT FOUND) 000000af4fdc0000 Process C:\Users\Agnieszka\AppData\Local\PriceMeter\pricemeterw.exe (*** suspicious ***) @ C:\Users\Agnieszka\AppData\Local\PriceMeter\pricemeterw.exe [1260] (PriceMeterW/PriceMeter)(2014-06-29 17:20:30) 0000000000a60000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----