GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-17 19:50:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: 653qqkw2.exe; Driver: C:\Users\Filozof\AppData\Local\Temp\uxliyfog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Windows\system32\services.exe[712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[620] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1312] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1384] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1708] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[1640] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2428] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2312] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e11465 2 bytes [E1, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e114bb 2 bytes [E1, 75] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[3636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[3696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Windows\Explorer.EXE[3836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Windows\AsScrPro.exe[3444] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Windows\AsScrPro.exe[3444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e11465 2 bytes [E1, 75] .text C:\Windows\AsScrPro.exe[3444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e114bb 2 bytes [E1, 75] .text ... * 2 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3748] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4188] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4304] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Users\Filozof\AppData\Local\Smartbar\Application\SafeFinder.exe[4612] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Users\Filozof\AppData\Local\Smartbar\Application\SafeFinder.exe[4612] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075e11465 2 bytes [E1, 75] .text C:\Users\Filozof\AppData\Local\Smartbar\Application\SafeFinder.exe[4612] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075e114bb 2 bytes [E1, 75] .text ... * 2 .text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[4884] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe[4984] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[4372] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4356] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe[4824] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5028] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074e28791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5028] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5116] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e11465 2 bytes [E1, 75] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e114bb 2 bytes [E1, 75] .text ... * 2 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2764] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076ebef8d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5228] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e11465 2 bytes [E1, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e114bb 2 bytes [E1, 75] .text ... * 2 .text C:\Users\Filozof\Downloads\653qqkw2.exe[4568] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e4a2fd 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3500:3516] 0000000074f27587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3500:3528] 0000000070f07712 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3500:3548] 00000000771b2e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3500:5960] 00000000771b3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3500:2960] 00000000771b3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3500:3008] 00000000771b3e85 ---- Processes - GMER 2.1 ---- Library C:\Users\Filozof\AppData\Local\Smartbar\Application\AxInterop.WMPLib.dll (*** suspicious ***) @ C:\Users\Filozof\AppData\Local\Smartbar\Application\SafeFinder.exe [4612](2014-05-12 01:46:24) 000000006fb20000 ---- EOF - GMER 2.1 ----