GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-07 22:31:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: on6swt70.exe; Driver: C:\Users\Myszka\AppData\Local\Temp\awrdrpob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800039b7000 86 bytes [B8, D0, 73, 04, A0, F8, FF, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 749 fffff800039b70dd 7 bytes [F8, FF, FF, 98, D1, 73, 04] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\wininit.exe[580] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\windows\system32\services.exe[648] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\windows\system32\winlogon.exe[692] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\windows\system32\nvvsvc.exe[900] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\windows\System32\svchost.exe[336] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\windows\system32\svchost.exe[452] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1660] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007725a2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1716] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007725a2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1716] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075731465 2 bytes [73, 75] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1716] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757314bb 2 bytes [73, 75] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1824] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007725a2fd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1848] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\windows\system32\rundll32.exe[2116] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2388] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007725a2fd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[2564] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\windows\system32\nvvsvc.exe[2664] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2672] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007725a2fd 1 byte [62] .text C:\windows\system32\taskhost.exe[504] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\windows\Explorer.EXE[1732] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1548] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007725a2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1548] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075731465 2 bytes [73, 75] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1548] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757314bb 2 bytes [73, 75] .text ... * 2 ? C:\windows\system32\mssprxy.dll [1548] entry point in ".rdata" section 00000000727671e6 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1800] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\windows\system32\conhost.exe[2152] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3648] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3084] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007725a2fd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3380] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[1684] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007725a2fd 1 byte [62] .text C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe[3948] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007725a2fd 1 byte [62] .text C:\Users\Myszka\Desktop\FRST64.exe[3704] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000779fef8d 1 byte [62] .text C:\Users\Myszka\Desktop\on6swt70.exe[4352] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007725a2fd 1 byte [62] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654edff Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f652 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b66b6864 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b66b6982 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654edff (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f652 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b66b6864 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b66b6982 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\50DE6F86A9AAC71CE964AD60F2E0E2F26B381ECE 0 bytes File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\3815D770DB0C9F0D25AE4B91567187BC9B26DDA9 15068 bytes File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\F9AD317BC5FA1F65BFCED6B82B64175425047CE7 3695 bytes File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\E0D28417D3308C16D4B48987EDC1EFB6F18127D1 31615 bytes File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\2A9451C1A7EE22025B80FA78CCCA945E8382BB52 2579 bytes File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\F718F5BA8EA0284A8E3D2830C12D43BB1E3701E4 6624 bytes File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\92D1947D6C1D7416E0F0AE7BE2417E3804B01168 3267 bytes File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\3F9851D88238E0210466F7F8C3EB89BBB39F890A 4037 bytes File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\DAB5C6C6F3904906CD15986AB79DDDAC74C0F29D 7039 bytes File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\FF264397ED0F0606F80CABFA90C3B7DF66B3210C 3200 bytes File C:\Users\Myszka\AppData\Local\Mozilla\Firefox\Profiles\gx412k1o.default-1408349656682\cache2\entries\CF8A0FF9044DDE771DD652C033D61AD08CE6793E 5290 bytes ---- EOF - GMER 2.1 ----