GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-09 00:57:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 KINGSTON_SV300S37A120G rev.505ABBF1 111,79GB Running: m57g1hli.exe; Driver: C:\Users\LOCALH~1\AppData\Local\Temp\pftdruoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1736] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075f38769 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1736] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075e01465 2 bytes [E0, 75] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1736] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075e014bb 2 bytes [E0, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000073091a22 2 bytes [09, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000073091ad0 2 bytes [09, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000073091b08 2 bytes [09, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000073091bba 2 bytes [09, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000073091bda 2 bytes [09, 73] .text C:\Users\localh0st\AppData\Roaming\Dropbox\bin\Dropbox.exe[3152] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075e01465 2 bytes [E0, 75] .text C:\Users\localh0st\AppData\Roaming\Dropbox\bin\Dropbox.exe[3152] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 0000000075e014bb 2 bytes [E0, 75] .text ... * 2 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e01465 2 bytes [E0, 75] .text C:\Program Files (x86)\SpeedFan\speedfan.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e014bb 2 bytes [E0, 75] .text ... * 2 .text C:\Program Files (x86)\VirtualWin\VirtuaWin.exe[3620] C:\Windows\syswow64\psapi.DLL!GetModuleInformation + 69 0000000075e01465 2 bytes [E0, 75] .text C:\Program Files (x86)\VirtualWin\VirtuaWin.exe[3620] C:\Windows\syswow64\psapi.DLL!GetModuleInformation + 155 0000000075e014bb 2 bytes [E0, 75] .text ... * 2 .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[3352] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075e01465 2 bytes [E0, 75] .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[3352] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075e014bb 2 bytes [E0, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1716:5416] 000007fefa219688 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5252:5248] 00000000766f7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5252:5256] 0000000069617712 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5252:5260] 0000000077ed2e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5252:3368] 0000000077ed3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5252:712] 0000000077ed3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5252:6100] 0000000077ed3e85 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0C8093D2-98D9-4D69-861A-28E186B571C2}\Connection@Name isatap.{57FBD4E2-801F-47C6-88F8-AB7B3F51691C} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{24E23F28-503C-4DA5-90C6-F729B66C4488}?\Device\{62D005B8-0756-4D12-9201-599205680EB1}?\Device\{0C8093D2-98D9-4D69-861A-28E186B571C2}?\Device\{2C7BB95D-873B-435D-8D3A-DD1C7474F9A9}?\Device\{4AFF03BB-9BB5-40FB-9881-1E3642958AF9}?\Device\{61C0192A-8628-4AB1-947B-00352957769D}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{24E23F28-503C-4DA5-90C6-F729B66C4488}"?"{62D005B8-0756-4D12-9201-599205680EB1}"?"{0C8093D2-98D9-4D69-861A-28E186B571C2}"?"{2C7BB95D-873B-435D-8D3A-DD1C7474F9A9}"?"{4AFF03BB-9BB5-40FB-9881-1E3642958AF9}"?"{61C0192A-8628-4AB1-947B-00352957769D}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{24E23F28-503C-4DA5-90C6-F729B66C4488}?\Device\TCPIP6TUNNEL_{62D005B8-0756-4D12-9201-599205680EB1}?\Device\TCPIP6TUNNEL_{0C8093D2-98D9-4D69-861A-28E186B571C2}?\Device\TCPIP6TUNNEL_{2C7BB95D-873B-435D-8D3A-DD1C7474F9A9}?\Device\TCPIP6TUNNEL_{4AFF03BB-9BB5-40FB-9881-1E3642958AF9}?\Device\TCPIP6TUNNEL_{61C0192A-8628-4AB1-947B-00352957769D}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313c87902 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313c87902@d0176af8bd04 0xAE 0x87 0x18 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{0C8093D2-98D9-4D69-861A-28E186B571C2}@InterfaceName isatap.{57FBD4E2-801F-47C6-88F8-AB7B3F51691C} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{0C8093D2-98D9-4D69-861A-28E186B571C2}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313c87902 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313c87902@d0176af8bd04 0xAE 0x87 0x18 0x7B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\localh0st\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\separator \x2014 skrót.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\localh0st\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\separator - Kopia \x2014 skrót.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\localh0st\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\separator - Kopia (2) \x2014 skrót.lnk 1 ---- EOF - GMER 2.1 ----