GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-30 21:16:46 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: cfro6m91.exe; Driver: C:\Users\KATARZ~1\AppData\Local\Temp\kwtcquob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800033be000 13 bytes [58, 53, 41, 56, 45, 44, 49, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 576 fffff800033be010 49 bytes [0D, 00, 90, 90, 90, 90, 90, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2176] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000076f56f80 5 bytes JMP 0000000103d4014a .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2176] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000076f57070 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd829940 5 bytes JMP 000007ffe11f3040 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd82bbb0 5 bytes JMP 000007ffe11f2fd0 .text C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe[2208] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000076f56f80 5 bytes JMP 000000010347014a .text C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe[2208] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000076f57070 14 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe[2208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd829940 5 bytes JMP 000007ffe11f3040 .text C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe[2208] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd82bbb0 5 bytes JMP 000007ffe11f2fd0 .text C:\Windows\SysWOW64\PnkBstrA.exe[3392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072cb1a22 2 bytes [CB, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072cb1ad0 2 bytes [CB, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072cb1b08 2 bytes [CB, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072cb1bba 2 bytes [CB, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072cb1bda 2 bytes [CB, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e81465 2 bytes [E8, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e814bb 2 bytes [E8, 74] .text ... * 2 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e81465 2 bytes [E8, 74] .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e814bb 2 bytes [E8, 74] .text ... * 2 .text C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e81465 2 bytes [E8, 74] .text C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e814bb 2 bytes [E8, 74] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e5c2716c Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e5c2716c@001fe4d916ce 0x75 0xDF 0x69 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e5c2716c@10683fcc3d1c 0x05 0x03 0xEC 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78d4af20 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{CEBED984-1589-4EBF-8E70-FF66C538F121}@InterfaceName isatap.{3E67F3E7-84CF-498A-ABBD-A2F815E596C9} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{CEBED984-1589-4EBF-8E70-FF66C538F121}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 9167 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e5c2716c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e5c2716c@001fe4d916ce 0x75 0xDF 0x69 0x9F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e5c2716c@10683fcc3d1c 0x05 0x03 0xEC 0x80 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78d4af20 (not active ControlSet) ---- EOF - GMER 2.1 ----