GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-21 21:22:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4 WDC_WD2000JD-98HBB0 rev.08.02D08 186,31GB Running: iq7w30s2.exe; Driver: C:\Users\Radek\AppData\Local\Temp\kwddakog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033c1000 45 bytes [00, 00, 16, 02, 4E, 74, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033c102f 29 bytes [00, 01, 00, 06, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\IePluginService\PluginService.exe[1256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000754f1465 2 bytes [4F, 75] .text C:\ProgramData\IePluginService\PluginService.exe[1256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754f14bb 2 bytes [4F, 75] .text ... * 2 .text C:\ProgramData\WPM\wprotectmanager.exe[1452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000754f1465 2 bytes [4F, 75] .text C:\ProgramData\WPM\wprotectmanager.exe[1452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754f14bb 2 bytes [4F, 75] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1860] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007746faa8 5 bytes JMP 00000001725e19b0 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[1860] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077470038 5 bytes JMP 00000001725e2066 .text C:\Program Files (x86)\Mobogenie\DaemonProcess.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000754f1465 2 bytes [4F, 75] .text C:\Program Files (x86)\Mobogenie\DaemonProcess.exe[2768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754f14bb 2 bytes [4F, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000754f1465 2 bytes [4F, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754f14bb 2 bytes [4F, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000754f1465 2 bytes [4F, 75] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754f14bb 2 bytes [4F, 75] .text ... * 2 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000754f1465 2 bytes [4F, 75] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[4052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754f14bb 2 bytes [4F, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000754f1465 2 bytes [4F, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[4888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754f14bb 2 bytes [4F, 75] .text ... * 2 .text C:\Program Files (x86)\Jump Flip\bin\XTLSApp.exe[892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000754f1465 2 bytes [4F, 75] .text C:\Program Files (x86)\Jump Flip\bin\XTLSApp.exe[892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754f14bb 2 bytes [4F, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff8800434aea4] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef328741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef3285f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef3285674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef3285e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef3287f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef3286a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef3286ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef3287b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef3287ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef32878b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef3284fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef3285d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3340] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef3287584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\svchost.exe [2000:5876] 00000000726417a4 Thread C:\Windows\system32\taskhost.exe [1712:2120] 000007fef6c31f38 Thread C:\Windows\system32\taskhost.exe [1712:2124] 000007fef6bd2740 Thread C:\Windows\system32\taskhost.exe [1712:2128] 000007fefe9e9274 Thread C:\Windows\system32\taskhost.exe [1712:2216] 000007fefa4a1010 Thread C:\Windows\system32\taskhost.exe [1712:4316] 000007fef6965170 Thread C:\Windows\system32\svchost.exe [3024:3040] 000007fefdbda808 Thread C:\Windows\system32\svchost.exe [3024:3068] 000007fef4147130 Thread C:\Windows\system32\svchost.exe [3024:2076] 000007fef413d5c0 Thread C:\Windows\system32\svchost.exe [3024:2504] 000007fef7965fd0 Thread C:\Windows\system32\svchost.exe [3024:2508] 000007fef6713438 Thread C:\Windows\system32\svchost.exe [3024:2488] 000007fef79663ec Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:4636] 000007fef15c82c4 Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:4688] 000007fef0e285ac Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:4700] 000007fef0e285ac Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:4548] 000007fef0e285ac Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:4580] 000007feefd0f5a0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:3656] 000007fef2bc2020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:108] 000007fef2bc2020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:112] 000007fef2bc2020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:3588] 000007fef2bc2020 Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:4632] 000007feefce9fe4 Thread C:\Program Files\Windows Sidebar\sidebar.exe [3604:4640] 000007feefce98ac Thread C:\Windows\System32\WUDFHost.exe [5672:6044] 000007feed8f24a0 Thread C:\Windows\system32\DllHost.exe [5112:1104] 0000000062bbe320 Thread C:\Windows\System32\svchost.exe [6156:6548] 000007feeb559688 ---- EOF - GMER 2.1 ----