GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-23 00:31:23 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GH10 596,17GB Running: gmer.exe; Driver: C:\Users\misq\AppData\Local\Temp\awldqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1672] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075931bb2 5 bytes JMP 0000000100422ac0 .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 000000007600d03c 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000775f1401 2 bytes JMP 7601eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000775f1419 2 bytes JMP 7602b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000775f1431 2 bytes JMP 760a8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000775f144a 2 bytes CALL 76001dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000775f14dd 2 bytes JMP 760a7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000775f14f5 2 bytes JMP 760a80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000775f150d 2 bytes JMP 760a7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000775f1525 2 bytes JMP 760a81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000775f153d 2 bytes JMP 7601f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000775f1555 2 bytes JMP 7602b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000775f156d 2 bytes JMP 760a86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000775f1585 2 bytes JMP 760a8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000775f159d 2 bytes JMP 760a7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000775f15b5 2 bytes JMP 7601f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000775f15cd 2 bytes JMP 7602b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000775f16b2 2 bytes JMP 760a8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3032] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000775f16bd 2 bytes JMP 760a7d4d C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3632:2348] 000007fef0ad9688 ---- Processes - GMER 2.1 ---- Library C:\Users\misq\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\Ontology.dll (*** suspicious ***) @ C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1672] (Application Ontology library/NVIDIA Corporation)(2015-04-21 17:08:20) 0000000073b30000 ---- Files - GMER 2.1 ---- File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001ddb 24301 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001ddc 25075 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001ddd 16803 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001dde 18146 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001ddf 20900 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001de1 23195 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001de4 68514 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001de8 20645 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001de9 85949 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001dea 18969 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001deb 20013 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001dec 32570 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001ded 41125 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001dee 43922 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001df0 26755 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001df1 36879 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001df2 114816 bytes File C:\Users\misq\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001de2 31146 bytes ---- EOF - GMER 2.1 ----