GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-11 22:35:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST975042 rev.0002 698,64GB Running: yjtfhkvb.exe; Driver: C:\Users\ZBIGNI~1.KOT\AppData\Local\Temp\agtoapog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2344] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077301465 2 bytes [30, 77] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2344] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773014bb 2 bytes [30, 77] .text ... * 2 .text C:\windows\SysWOW64\vmnat.exe[2540] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 00000000725b13c6 2 bytes [5B, 72] .text C:\windows\SysWOW64\vmnat.exe[2540] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 00000000725b13f6 2 bytes [5B, 72] .text C:\windows\SysWOW64\vmnat.exe[2540] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 00000000725b14ad 2 bytes [5B, 72] .text C:\windows\SysWOW64\vmnat.exe[2540] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 00000000725b14db 2 bytes [5B, 72] .text ... * 2 .text C:\windows\SysWOW64\vmnat.exe[2540] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 00000000725b1577 2 bytes [5B, 72] .text C:\windows\SysWOW64\vmnat.exe[2540] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 00000000725b15d7 2 bytes [5B, 72] .text C:\windows\SysWOW64\vmnat.exe[2540] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 00000000725b1794 2 bytes [5B, 72] .text C:\windows\SysWOW64\vmnat.exe[2540] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 00000000725b18c1 2 bytes [5B, 72] .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2896] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077301465 2 bytes [30, 77] .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[2896] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773014bb 2 bytes [30, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5244:5640] 000007fef43e2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5244:5704] 000007fee70bd618 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0015007f6c3b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\4c80934b1e3b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\4c80934b1e3b@002376e511a3 0xE9 0xB2 0x8E 0xA2 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\4c80934b1e3b@0022fc4e9d26 0x27 0x9D 0x1B 0xE0 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\4c80934b1e3b@001f2019e9b7 0x61 0x20 0xBC 0x46 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\bc7737048afc (not active ControlSet) Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015007f6c3b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4c80934b1e3b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4c80934b1e3b@001f2019e9b7 0x61 0x20 0xBC 0x46 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4c80934b1e3b@5c17d3289409 0x28 0x72 0x35 0x30 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\bc7737048afc Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0015007f6c3b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\4c80934b1e3b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\4c80934b1e3b@001f2019e9b7 0x61 0x20 0xBC 0x46 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\4c80934b1e3b@5c17d3289409 0x28 0x72 0x35 0x30 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\bc7737048afc (not active ControlSet) ---- EOF - GMER 2.1 ----