GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-19 20:29:15 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001f ST500LT012-1DG142 rev.0002LVM1 465,76GB Running: c0o6i0kt.exe; Driver: C:\Users\EWAMAN~1\AppData\Local\Temp\awliqfob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc472c169a 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc472c16a2 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc472c181a 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc472c1832 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2132] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc472c169a 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2132] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc472c16a2 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2132] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc472c181a 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2132] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc472c1832 4 bytes [2C, 47, FC, 7F] .text C:\WINDOWS\Explorer.EXE[4932] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc472c169a 4 bytes [2C, 47, FC, 7F] .text C:\WINDOWS\Explorer.EXE[4932] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc472c16a2 4 bytes [2C, 47, FC, 7F] .text C:\WINDOWS\Explorer.EXE[4932] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc472c181a 4 bytes [2C, 47, FC, 7F] .text C:\WINDOWS\Explorer.EXE[4932] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc472c1832 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\platform\McUICnt.exe[4296] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc472c169a 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\platform\McUICnt.exe[4296] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc472c16a2 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\platform\McUICnt.exe[4296] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc472c181a 4 bytes [2C, 47, FC, 7F] .text C:\Program Files\Common Files\McAfee\platform\McUICnt.exe[4296] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc472c1832 4 bytes [2C, 47, FC, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [4992:2336] fffff9600086db90 Thread C:\WINDOWS\Explorer.EXE [4932:2848] 00007ffc2d88d73c ---- Processes - GMER 2.1 ---- Library C:\Program Files\WindowsApps\McAfeeInc.06.McAfeeSecurityAdvisorforLenovo_4.0.145.1_x64__bq6yxensn79aw\McCloudShim.dll (*** suspicious ***) @ C:\WINDOWS\system32\wwahost.exe [3056](2015-02-10 18:03:46) 00007ffc39bd0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----