GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-03 19:22:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LH01 298,09GB Running: wmdo8fii.exe; Driver: D:\Users\HP\AppData\Local\Temp\uglciaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4768] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075ac1465 2 bytes [AC, 75] .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[4768] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000075ac14bb 2 bytes [AC, 75] .text ... * 2 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[4876] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000779b000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[4876] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000077a3f8ea 5 bytes JMP 00000001779ed5c1 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[5424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ac1465 2 bytes [AC, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[5424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ac14bb 2 bytes [AC, 75] .text ... * 2 .text D:\Users\HP\AppData\Roaming\Dropbox\bin\Dropbox.exe[5432] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075ac1465 2 bytes [AC, 75] .text D:\Users\HP\AppData\Roaming\Dropbox\bin\Dropbox.exe[5432] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000075ac14bb 2 bytes [AC, 75] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!memset] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??2@YAPEAX_K@Z] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!wcscat_s] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_purecall] [4ce79c9900000000] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??_V@YAXPEAX@Z] [200000000] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!malloc] [1b0c00000025] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!free] [110c] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??_U@YAPEAX_K@Z] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_XcptFilter] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_initterm] [69007400730045] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_amsg_exit] [6500740061006d] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_unlock] [61006200200064] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!__dllonexit] [6900770064006e] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_lock] [20006800740064] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_onexit] [69006100760061] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!realloc] [6c00620061006c] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_errno] [6f007400200065] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [65006800740020] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!memcpy_s] [6d006500720020] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!??3@YAXPEAX@Z] [2000650074006f] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[msvcrt.dll!_CxxThrowException] [74007300790073] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[ADVAPI32.dll!RegSetValueExW] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[ADVAPI32.dll!RegEnumKeyExW] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[ADVAPI32.dll!RegCreateKeyExW] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!GetVersionExA] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!TerminateProcess] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!RtlVirtualUnwind] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!FindResourceW] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!LoadResource] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!SizeofResource] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[KERNEL32.dll!lstrlenW] [0] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoTaskMemFree] [73007400690042] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!StringFromGUID2] [6300650073002f] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoTaskMemRealloc] [29] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoCreateInstance] [53005400490042] IAT C:\Windows\system32\svchost.exe[1056] @ C:\Windows\system32\ndiscapCfg.dll[ole32.dll!CoTaskMemAlloc] [5400530045005f] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002713bc4644 Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application@Sources MSDMine?DfSdk Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002713bc4644 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\eventlog\Application@Sources MSDMine?DfSdk ---- EOF - GMER 2.1 ----