GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-07 17:09:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0001 465.76GB Running: 3doh2zbs.exe; Driver: C:\Users\EWAMAR~1\AppData\Local\Temp\kxliruob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80003405000 45 bytes [00, 00, 16, 02, 4E, 74, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff8000340502f 10 bytes [00, 01, 00, 06, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2240] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000721f1a22 2 bytes [1F, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2240] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000721f1ad0 2 bytes [1F, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2240] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000721f1b08 2 bytes [1F, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2240] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000721f1bba 2 bytes [1F, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2240] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000721f1bda 2 bytes [1F, 72] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Program Files (x86)\Launch Manager\LManager.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\Launch Manager\LManager.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[3920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[3920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Windows\SysWOW64\RunDll32.exe[4500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Windows\SysWOW64\RunDll32.exe[4500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[2080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 .text E:\3doh2zbs.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077be1465 2 bytes [BE, 77] .text E:\3doh2zbs.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077be14bb 2 bytes [BE, 77] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\mfevtps.exe[1548] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13fe5b870] C:\Windows\system32\mfevtps.exe ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1872:3668] 000007fefbb62a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1872:2236] 000007fee5c1d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1872:4800] 000007fef8045124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\08edb9f66d30 Reg HKLM\SYSTEM\CurrentControlSet\services\ Reg HKLM\SYSTEM\CurrentControlSet\services\@Parameters\0\x202e\x2764 848 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\08edb9f66d30 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\ (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\@Parameters\0\x202e\x2764 848 ---- Files - GMER 2.1 ---- File C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui 35328 bytes executable File C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui 15360 bytes executable File C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui 46592 bytes executable File C:\Program Files\Microsoft Security Client\Backup\amd64 0 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\dw20shared.msi 2081792 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\epp.msi 8581120 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\setup.exe 1100168 bytes executable File C:\Program Files\Microsoft Security Client\Backup\amd64\sqmapi.dll 241984 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\Windows6.0-KB981889-v2.msu 1909720 bytes File C:\Program Files\Microsoft Security Client\Backup\amd64\Windows6.1-KB981889.msu 1318677 bytes File C:\Program Files\Microsoft Security Client\Backup\en-us 0 bytes File C:\Program Files\Microsoft Security Client\Backup\en-us\EULA.RTF 143927 bytes File C:\Program Files\Microsoft Security Client\Backup\en-us\setupres.dll.mui 43680 bytes executable File C:\Program Files\Microsoft Security Client\Backup\EppManifest.dll 185664 bytes executable File C:\Program Files\Microsoft Security Client\Backup\setupres.dll 8864 bytes executable File C:\Program Files\Microsoft Security Client\Drivers\mpfilter 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.cat 8227 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.inf 3137 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.sys 247216 bytes executable File C:\Program Files\Microsoft Security Client\Drivers\NisDrv 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.cat 8176 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.inf 3017 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.man 15809 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.sys 139616 bytes executable File C:\Program Files\Microsoft Security Client\en-us\EULA.RTF 143927 bytes File C:\Program Files\Microsoft Security Client\en-us\MpAsDesc.dll.mui 47776 bytes executable File C:\Program Files\Microsoft Security Client\en-us\mpevmsg.dll.mui 38048 bytes executable File C:\Program Files\Microsoft Security Client\en-us\MsMpRes.dll.mui 90784 bytes executable File C:\Program Files\Microsoft Security Client\en-us\msseooberes.dll.mui 16544 bytes executable File C:\Program Files\Microsoft Security Client\en-us\setupres.dll.mui 43680 bytes executable File C:\Program Files\Microsoft Security Client\en-us\shellext.dll.mui 9376 bytes executable ---- EOF - GMER 2.1 ----