GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-11 16:52:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: gmer.exe; Driver: C:\Users\Sony\AppData\Local\Temp\kxliipob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003009000 45 bytes [00, 00, 10, 02, 4E, 74, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff8000300902f 10 bytes [00, 01, 00, 06, 00, 00, 00, ...] .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff880046a0d8c 12 bytes {MOV RAX, 0xfffffa8006bbe2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2888] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076f88769 4 bytes [C2, 04, 00, 00] .text C:\Windows\SysWOW64\svchost.exe[5884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076931465 2 bytes [93, 76] .text C:\Windows\SysWOW64\svchost.exe[5884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769314bb 2 bytes [93, 76] .text ... * 2 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80045f82c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006bc02c0 Device \Driver\cdrom \Device\CdRom0 fffffa80067092c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D740C44F-5569-4E0E-B400-599928CC5BCA} fffffa80069632c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{837E39DC-55BF-4D48-84AC-1A3B5CF70AE5} fffffa80069632c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006bc02c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006bc02c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{28F673E5-A297-4D42-BB2A-3C6A7F6D83A9} fffffa80069632c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{23AF5001-80D9-4C0F-81D6-A096F87C865B} fffffa80069632c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80069632c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006bc02c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2468:5920] 000007fef4049688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1596:5760] 000007fefb9b2a7c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e5c4017a Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE9 0x36 0xAF 0x77 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x94 0x31 0x1B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e5c4017a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE9 0x36 0xAF 0x77 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x94 0x31 0x1B ... ---- EOF - GMER 2.1 ----