GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-31 19:50:21 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000080 ATA_____ rev.2J__ 465,76GB Running: gmer.exe; Driver: C:\Users\Basia\AppData\Local\Temp\kwddrkob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a61401 2 bytes JMP 7737b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a61419 2 bytes JMP 7737b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a61431 2 bytes JMP 773f9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a6144a 2 bytes CALL 77354885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a614dd 2 bytes JMP 773f8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a614f5 2 bytes JMP 773f8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a6150d 2 bytes JMP 773f8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a61525 2 bytes JMP 773f8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a6153d 2 bytes JMP 7736fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a61555 2 bytes JMP 77376907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a6156d 2 bytes JMP 773f9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a61585 2 bytes JMP 773f8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a6159d 2 bytes JMP 773f88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a615b5 2 bytes JMP 7736fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a615cd 2 bytes JMP 7737b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a616b2 2 bytes JMP 773f90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1664] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a616bd 2 bytes JMP 773f8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a61401 2 bytes JMP 7737b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a61419 2 bytes JMP 7737b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a61431 2 bytes JMP 773f9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a6144a 2 bytes CALL 77354885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a614dd 2 bytes JMP 773f8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a614f5 2 bytes JMP 773f8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a6150d 2 bytes JMP 773f8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a61525 2 bytes JMP 773f8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a6153d 2 bytes JMP 7736fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a61555 2 bytes JMP 77376907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a6156d 2 bytes JMP 773f9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a61585 2 bytes JMP 773f8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a6159d 2 bytes JMP 773f88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a615b5 2 bytes JMP 7736fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a615cd 2 bytes JMP 7737b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a616b2 2 bytes JMP 773f90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2320] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a616bd 2 bytes JMP 773f8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a61401 2 bytes JMP 7737b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a61419 2 bytes JMP 7737b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a61431 2 bytes JMP 773f9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a6144a 2 bytes CALL 77354885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a614dd 2 bytes JMP 773f8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a614f5 2 bytes JMP 773f8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a6150d 2 bytes JMP 773f8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a61525 2 bytes JMP 773f8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a6153d 2 bytes JMP 7736fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a61555 2 bytes JMP 77376907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a6156d 2 bytes JMP 773f9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a61585 2 bytes JMP 773f8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a6159d 2 bytes JMP 773f88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a615b5 2 bytes JMP 7736fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a615cd 2 bytes JMP 7737b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a616b2 2 bytes JMP 773f90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3368] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a616bd 2 bytes JMP 773f8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075a61401 2 bytes JMP 7737b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075a61419 2 bytes JMP 7737b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075a61431 2 bytes JMP 773f9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075a6144a 2 bytes CALL 77354885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075a614dd 2 bytes JMP 773f8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075a614f5 2 bytes JMP 773f8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075a6150d 2 bytes JMP 773f8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075a61525 2 bytes JMP 773f8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075a6153d 2 bytes JMP 7736fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075a61555 2 bytes JMP 77376907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075a6156d 2 bytes JMP 773f9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075a61585 2 bytes JMP 773f8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075a6159d 2 bytes JMP 773f88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075a615b5 2 bytes JMP 7736fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075a615cd 2 bytes JMP 7737b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075a616b2 2 bytes JMP 773f90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075a616bd 2 bytes JMP 773f8891 C:\Windows\syswow64\kernel32.dll ---- Devices - GMER 2.2 ---- Device \FileSystem\MBAMWebAccessControl \Device\StreamEitor fffff8800998a5ac ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\df011ed9-9131-49b9-8090-46963cfb65ce\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da@DCSettingIndex 900 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\df011ed9-9131-49b9-8090-46963cfb65ce\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da@ACSettingIndex 900 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\df011ed9-9131-49b9-8090-46963cfb65ce\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e@DCSettingIndex 180 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\df011ed9-9131-49b9-8090-46963cfb65ce\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e@ACSettingIndex 600 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dc85de53893a Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dc85de53893a (not active ControlSet) ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----