GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-04-10 10:18:37 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 WDC_WD10S21X-24R1BT0-SSHD-8GB rev.03.01A01 931,51GB Running: jhnmqgsg.exe; Driver: C:\Users\vinohrad\AppData\Local\Temp\fwdcipow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\nvvsvc.exe[440] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa0351169a 4 bytes [51, 03, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[440] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa035116a2 4 bytes [51, 03, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[440] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa0351181a 4 bytes [51, 03, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[440] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa03511832 4 bytes [51, 03, FA, 7F] .text C:\WINDOWS\Explorer.EXE[1684] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa0351169a 4 bytes [51, 03, FA, 7F] .text C:\WINDOWS\Explorer.EXE[1684] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa035116a2 4 bytes [51, 03, FA, 7F] .text C:\WINDOWS\Explorer.EXE[1684] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa0351181a 4 bytes [51, 03, FA, 7F] .text C:\WINDOWS\Explorer.EXE[1684] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa03511832 4 bytes [51, 03, FA, 7F] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[4484] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa0351169a 4 bytes [51, 03, FA, 7F] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[4484] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa035116a2 4 bytes [51, 03, FA, 7F] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[4484] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa0351181a 4 bytes [51, 03, FA, 7F] .text C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe[4484] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa03511832 4 bytes [51, 03, FA, 7F] .text C:\Users\vinohrad\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[4552] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa0351169a 4 bytes [51, 03, FA, 7F] .text C:\Users\vinohrad\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[4552] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa035116a2 4 bytes [51, 03, FA, 7F] .text C:\Users\vinohrad\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[4552] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa0351181a 4 bytes [51, 03, FA, 7F] .text C:\Users\vinohrad\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[4552] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa03511832 4 bytes [51, 03, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4620] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa0351169a 4 bytes [51, 03, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4620] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa035116a2 4 bytes [51, 03, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4620] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa0351181a 4 bytes [51, 03, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4620] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa03511832 4 bytes [51, 03, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4620] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff9e8511f6a 4 bytes [51, E8, F9, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4620] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff9e8511f82 4 bytes [51, E8, F9, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4764] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff9e8511f6a 4 bytes [51, E8, F9, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[4764] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff9e8511f82 4 bytes [51, E8, F9, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[5356] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffa0351169a 4 bytes [51, 03, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[5356] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffa035116a2 4 bytes [51, 03, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[5356] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ffa0351181a 4 bytes [51, 03, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[5356] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ffa03511832 4 bytes [51, 03, FA, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [720:728] fffff96000874b90 ---- Processes - GMER 2.1 ---- Process C:\Users\vinohrad\AppData\Local\Temp\Temp1_gm.zip\jhnmqgsg.exe (*** suspicious ***) @ C:\Users\vinohrad\AppData\Local\Temp\Temp1_gm.zip\jhnmqgsg.exe [2412](2015-02-04 11:59:58) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----