GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-01-31 11:59:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST975042 rev.0002 698,64GB Running: 4vzu3qen.exe; Driver: C:\Users\DAMI\AppData\Local\Temp\aftciaoc.sys ---- Kernel code sections - GMER 2.0 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000183100 7 bytes [00, 9D, F3, FF, 01, A6, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000183108 3 bytes [00, 07, 02] .text ... * 107 .text C:\Windows\System32\win32k.sys!BRUSHOBJ_pvGetRbrush + 432 fffff96000239d68 8 bytes [08, 9C, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!CLIPOBJ_bEnum + 740 fffff9600023a238 8 bytes [C8, 9C, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!EngAcquireSemaphoreNoWait + 76 fffff9600023a8c8 8 bytes [20, 9D, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!EngIsSemaphoreSharedByCurrentThread + 24 fffff9600023a9a8 8 bytes [B0, A1, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!EngDeleteSafeSemaphore + 52 fffff9600023aa78 8 bytes [C4, AB, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!EngCreateBitmap + 44 fffff96000242908 8 bytes [28, A0, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!EngCreateEvent + 88 fffff9600024b2b8 8 bytes [B0, A3, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!EngRectInRgn + 48 fffff9600024b758 8 bytes [74, A5, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!EngSetRectRgn + 84 fffff9600024b8d8 8 bytes [84, AE, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!EngQueryPalette + 192 fffff96000265f48 8 bytes [88, A4, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!EngSaveFloatingPointState + 20 fffff9600027b158 8 bytes [68, A6, C4, 01, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!EngLoadModule + 420 fffff9600027c768 8 bytes [44, A7, C4, 01, 80, F8, FF, ...] ---- User code sections - GMER 2.0 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[2000] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000779b0018 5 bytes JMP 000000016ac91765 .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000764f1401 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000764f1419 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000764f1431 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000764f144a 2 bytes [4F, 76] .text ... * 9 .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764f14dd 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764f14f5 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000764f150d 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000764f1525 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000764f153d 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000764f1555 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000764f156d 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000764f1585 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000764f159d 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764f15b5 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764f15cd 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764f16b2 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\CyraLicense.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764f16bd 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000764f1401 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000764f1419 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000764f1431 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000764f144a 2 bytes [4F, 76] .text ... * 9 .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764f14dd 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764f14f5 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000764f150d 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000764f1525 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000764f153d 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000764f1555 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000764f156d 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000764f1585 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000764f159d 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764f15b5 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764f15cd 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764f16b2 2 bytes [4F, 76] .text C:\Program Files (x86)\Leica Geosystems\Cyclone\fastobjectsserver.exe[2216] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764f16bd 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17 00000000764f1401 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17 00000000764f1419 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17 00000000764f1431 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42 00000000764f144a 2 bytes [4F, 76] .text ... * 9 .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17 00000000764f14dd 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17 00000000764f14f5 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17 00000000764f150d 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17 00000000764f1525 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17 00000000764f153d 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17 00000000764f1555 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17 00000000764f156d 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17 00000000764f1585 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17 00000000764f159d 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17 00000000764f15b5 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17 00000000764f15cd 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20 00000000764f16b2 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[3828] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31 00000000764f16bd 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000764f1401 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000764f1419 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000764f1431 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000764f144a 2 bytes [4F, 76] .text ... * 9 .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000764f14dd 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000764f14f5 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000764f150d 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000764f1525 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000764f153d 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000764f1555 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000764f156d 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000764f1585 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000764f159d 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000764f15b5 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000764f15cd 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000764f16b2 2 bytes [4F, 76] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1336] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000764f16bd 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000764f1401 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000764f1419 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000764f1431 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000764f144a 2 bytes [4F, 76] .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764f14dd 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764f14f5 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000764f150d 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000764f1525 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000764f153d 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000764f1555 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000764f156d 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000764f1585 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000764f159d 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764f15b5 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764f15cd 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764f16b2 2 bytes [4F, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[6016] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764f16bd 2 bytes [4F, 76] ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef50a2750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef50a2b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef50a7de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef50a8130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef50a1908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef50a1c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef50a81d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef50a2878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef50a7a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef50a6c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef50a77bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef50a7064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef50a6544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef50a5e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.0 ---- Thread C:\Windows\System32\svchost.exe [3756:5928] 000007fef4d59688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5348:5800] 000007fefbf92ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5348:5996] 000007fefa9b5124 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68c9a42d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68c9a42d@0022fc4d18e8 0x7D 0x37 0x53 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68c9a42d@a8e018b38388 0xE0 0x7E 0x33 0x36 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68c9a42d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68c9a42d@0022fc4d18e8 0x7D 0x37 0x53 0xE3 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68c9a42d@a8e018b38388 0xE0 0x7E 0x33 0x36 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0BCE6A7A-03BB-B73B-967E-14475D9871F7} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0BCE6A7A-03BB-B73B-967E-14475D9871F7}@dannhapa 0x64 0x62 0x6F 0x64 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E29B86D-0995-BFC8-6B38-65D18FD65D43} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E29B86D-0995-BFC8-6B38-65D18FD65D43}@iacocjbmhfnbkmooad 0x69 0x61 0x70 0x67 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E29B86D-0995-BFC8-6B38-65D18FD65D43}@hamnigapifkploge 0x69 0x61 0x70 0x67 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E29B86D-0995-BFC8-6B38-65D18FD65D43}@eakpbikili 0x6A 0x61 0x65 0x62 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3E29B86D-0995-BFC8-6B38-65D18FD65D43}@danpallp 0x64 0x62 0x63 0x6F ... ---- Files - GMER 2.0 ---- File C:\Users\DAMI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IJIB3012\K53SV[1].idx 9362 bytes ---- EOF - GMER 2.0 ----