GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-31 14:27:54 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: 10qexynd.exe; Driver: C:\Users\Marta\AppData\Local\Temp\kgtyifob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033b3000 11 bytes [03, 00, 03, 00, 00, 00, 01, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe[832] C:\windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075fd1465 2 bytes [FD, 75] .text C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCService.exe[832] C:\windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000075fd14bb 2 bytes [FD, 75] .text ... * 2 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1680] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075eb8769 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1680] C:\windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075fd1465 2 bytes [FD, 75] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1680] C:\windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075fd14bb 2 bytes [FD, 75] .text ... * 2 .text C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe[2984] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075fd1465 2 bytes [FD, 75] .text C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCTray.exe[2984] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075fd14bb 2 bytes [FD, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3608] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075fd1465 2 bytes [FD, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3608] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075fd14bb 2 bytes [FD, 75] .text ... * 2 .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4212] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075fd1465 2 bytes [FD, 75] .text C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe[4212] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075fd14bb 2 bytes [FD, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2300] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075fd1465 2 bytes [FD, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2300] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075fd14bb 2 bytes [FD, 75] .text ... * 2 .text D:\openfm\open-fm.exe[7944] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075fd1465 2 bytes [FD, 75] .text D:\openfm\open-fm.exe[7944] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075fd14bb 2 bytes [FD, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\svchost.exe [776:820] 000007fefbd3332c Thread C:\windows\system32\svchost.exe [776:824] 000007fefbd310b0 Thread C:\windows\system32\svchost.exe [672:1124] 000007fefa5b8274 Thread C:\windows\system32\svchost.exe [672:1940] 000007fefa5b8274 Thread C:\windows\system32\svchost.exe [960:3040] 000007fef232034c Thread C:\windows\system32\svchost.exe [960:7468] 000007fef231fb90 Thread C:\windows\system32\svchost.exe [1100:4220] 000007fefa0a5124 Thread C:\windows\system32\svchost.exe [1100:4308] 000007feebdf83d8 Thread C:\windows\system32\svchost.exe [1100:4316] 000007feebdf83d8 Thread C:\windows\system32\svchost.exe [1100:4320] 000007feebdf83d8 Thread C:\windows\system32\svchost.exe [1100:4324] 000007feebdf83d8 Thread C:\windows\system32\svchost.exe [1100:4420] 000007feeb643f1c Thread C:\windows\system32\svchost.exe [1100:4456] 000007feed1d22b8 Thread C:\windows\system32\svchost.exe [1100:4460] 000007feed1d1a38 Thread C:\windows\system32\svchost.exe [1100:4468] 000007feecfa5388 Thread C:\windows\system32\svchost.exe [1100:4472] 000007feebf57738 Thread C:\windows\system32\svchost.exe [1100:4496] 000007feeb9e1f90 Thread C:\windows\system32\svchost.exe [1100:11504] 000007fef6bd5170 Thread C:\windows\system32\svchost.exe [1220:1512] 000007fefc861a70 Thread C:\windows\system32\svchost.exe [1220:1580] 000007fefc861a70 Thread C:\windows\system32\svchost.exe [1220:1592] 000007fefc861a70 Thread C:\windows\system32\svchost.exe [1220:1600] 000007fef7972c70 Thread C:\windows\system32\svchost.exe [1220:1616] 000007fef797fb40 Thread C:\windows\system32\svchost.exe [1220:1624] 000007fef7991d20 Thread C:\windows\system32\svchost.exe [1220:1628] 000007fef797f6f0 Thread C:\windows\System32\spoolsv.exe [1428:1788] 000007fef68510c8 Thread C:\windows\System32\spoolsv.exe [1428:1868] 000007fef5de6144 Thread C:\windows\System32\spoolsv.exe [1428:1072] 000007fef5ad5fd0 Thread C:\windows\System32\spoolsv.exe [1428:1144] 000007fef5ac3438 Thread C:\windows\System32\spoolsv.exe [1428:1196] 000007fef5ad63ec Thread C:\windows\System32\spoolsv.exe [1428:1584] 000007fef75b5e5c Thread C:\windows\System32\spoolsv.exe [1428:2056] 000007fef6e55074 Thread C:\windows\system32\svchost.exe [2524:4408] 000007fef53f44e0 Thread C:\windows\System32\svchost.exe [2548:5044] 000007fef7419688 Thread C:\windows\system32\svchost.exe [3288:3544] 000007fef98f2f9c Thread C:\windows\system32\svchost.exe [2408:3852] 000007fef5ad5fd0 Thread C:\windows\system32\svchost.exe [2408:3348] 000007fef5ac3438 Thread C:\windows\system32\svchost.exe [2408:2228] 000007fef5ad63ec Thread C:\windows\system32\svchost.exe [2408:1912] 000007fefb372a7c Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [11204:9396] 000000006fdc786a Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [11204:11024] 00000000737b27e1 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [11204:9280] 000000007591d864 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [11204:7540] 000000006067137c Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [11204:10860] 000000007618ead8 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [11204:9452] 000000006aca2831 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [11204:11108] 00000000603d6db2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002454f1e1f0 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de9f4699 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de9f4699@78471d94b887 0xB7 0xE8 0x21 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de9f4699@0015a0334b4c 0xA3 0xCC 0x1A 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de9f4699@0808c2534a77 0x05 0xBB 0x0C 0x20 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de9f4699@d4cbafa64724 0x43 0x2B 0x87 0x6D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de9f4699@3c438e55e957 0x56 0x86 0xF2 0x3A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971071cd6 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e839df1ff857 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002454f1e1f0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de9f4699 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de9f4699@78471d94b887 0xB7 0xE8 0x21 0x8B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de9f4699@0015a0334b4c 0xA3 0xCC 0x1A 0x9C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de9f4699@0808c2534a77 0x05 0xBB 0x0C 0x20 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de9f4699@d4cbafa64724 0x43 0x2B 0x87 0x6D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de9f4699@3c438e55e957 0x56 0x86 0xF2 0x3A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971071cd6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e839df1ff857 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Marta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Electronic Arts\The Sims\x2122 3 Po zmroku\Odinstaluj The Sims\x2122 3 Po zmroku.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Electronic Arts\The Sims\x2122 3 Po zmroku\Odinstaluj The Sims\x2122 3 Po zmroku.lnk 1 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----