GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-12 18:28:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 INTEL_SS rev.4PC1 149,05GB Running: c5p4rb37.exe; Driver: C:\Users\jbr\AppData\Local\Temp\kxrdapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\svchost.exe[1112] C:\Windows\System32\RASAPI32.dll!RasHangUpW 000007fefa69fa84 5 bytes JMP 000007ff7a6a0080 .text C:\Windows\System32\svchost.exe[1112] C:\Windows\System32\RASAPI32.dll!RasDialW 000007fefa6a96f4 5 bytes JMP 000007ff7a6b0080 .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[2536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[2536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Program Files (x86)\TightVNC\tvnserver.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\TightVNC\tvnserver.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Windows\system32\wbem\wmiprvse.exe[3908] C:\Windows\system32\TAPI32.dll!lineDialW 000007fee64c64f4 9 bytes JMP 000007ff664d0080 .text C:\Windows\system32\wbem\wmiprvse.exe[3908] C:\Windows\system32\TAPI32.dll!lineMakeCallW 000007fee64cb328 5 bytes JMP 000007fee6760080 .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe[5688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Program Files\Windows Sidebar\sidebar.exe[5844] C:\Windows\system32\RASAPI32.dll!RasHangUpW 000007fefa69fa84 5 bytes JMP 000007ff7a6a0080 .text C:\Program Files\Windows Sidebar\sidebar.exe[5844] C:\Windows\system32\RASAPI32.dll!RasDialW 000007fefa6a96f4 5 bytes JMP 000007ff7a6b0080 .text C:\Program Files (x86)\Konnekt\konnekt.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\Konnekt\konnekt.exe[5240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Users\jbr\AppData\Roaming\Pgvvpwwaqgocctdh.exe[6168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Users\jbr\AppData\Roaming\Pgvvpwwaqgocctdh.exe[6168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[6308] C:\Windows\system32\RASAPI32.dll!RasHangUpW 000007fefa69fa84 5 bytes JMP 000007ff7a6a0080 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[6308] C:\Windows\system32\RASAPI32.dll!RasDialW 000007fefa6a96f4 5 bytes JMP 000007ff7a6b0080 .text C:\Program Files\Rainmeter\Rainmeter.exe[6484] C:\Windows\system32\RASAPI32.dll!RasHangUpW 000007fefa69fa84 5 bytes JMP 000007ff7a6a0080 .text C:\Program Files\Rainmeter\Rainmeter.exe[6484] C:\Windows\system32\RASAPI32.dll!RasDialW 000007fefa6a96f4 5 bytes JMP 000007ff7a6b0080 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[6512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\SpeedFan\speedfan.exe[6512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Users\jbr\AppData\Roaming\Dropbox\bin\Dropbox.exe[6596] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Users\jbr\AppData\Roaming\Dropbox\bin\Dropbox.exe[6596] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Program Files (x86)\TC UP\TC UP.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\TC UP\TC UP.exe[6756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Program Files (x86)\Lenovo\MobileAccess\MobileAccess.exe[6940] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\Lenovo\MobileAccess\MobileAccess.exe[6940] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[7172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[7172] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Program Files (x86)\Lenovo\MobileAccess\MacheenService.exe[7000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\Lenovo\MobileAccess\MacheenService.exe[7000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Users\jbr\AppData\Local\Temp\trjritnskgkpdjk.exe[8992] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Users\jbr\AppData\Local\Temp\trjritnskgkpdjk.exe[8992] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Windows\SysWOW64\RunDll32.exe[8716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Windows\SysWOW64\RunDll32.exe[8716] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 .text C:\Users\jbr\dwhelper\Favorites\Downloads\c5p4rb37.exe[9620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b01465 2 bytes [B0, 74] .text C:\Users\jbr\dwhelper\Favorites\Downloads\c5p4rb37.exe[9620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b014bb 2 bytes [B0, 74] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf46a3e73 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819acb48f Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf46a3e73 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819acb48f (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\jbr\AppData\Local\Mozilla\Firefox\Profiles\aza9s3t3.default-1355738652599\startupCache\startupCache.4.little 1470639 bytes ---- EOF - GMER 2.1 ----