GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-16 02:26:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10JPVT-24A1YT0 rev.01.01A01 931,51GB Running: dmirxzcl.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\User\AppData\Roaming\Spotify\spotify.exe[3656] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007782000c 1 byte [C3] .text C:\Users\User\AppData\Roaming\Spotify\spotify.exe[3656] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 00000000778af7ea 5 bytes JMP 0000000177868e79 .text C:\Users\User\AppData\Roaming\Spotify\spotify.exe[3656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Users\User\AppData\Roaming\Spotify\spotify.exe[3656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Windows\SysWOW64\RunDll32.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Windows\SysWOW64\RunDll32.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[4836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[6108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[6108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE[3612] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000765187c9 5 bytes JMP 00000001660f85a4 .text C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE[3612] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 00000000753d6143 5 bytes JMP 00000001666d940d .text C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE[3612] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076d83e59 5 bytes JMP 00000001661292f8 .text C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE[3612] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076d83eae 2 bytes JMP 00000001661393e9 .text C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE[3612] C:\Windows\syswow64\OLEAUT32.dll!VariantClear + 3 0000000076d83eb1 2 bytes [3B, EF] .text C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE[3612] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076d84731 5 bytes JMP 0000000166137a96 .text C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE[3612] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076d85dee 5 bytes JMP 000000016615f716 .text C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE[3612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE[3612] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[2668] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000765187c9 5 bytes JMP 00000001660f85a4 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[2668] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 00000000753d6143 5 bytes JMP 00000001666d940d .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[2668] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076d83e59 5 bytes JMP 00000001661292f8 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[2668] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076d83eae 2 bytes JMP 00000001661393e9 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[2668] C:\Windows\syswow64\OLEAUT32.dll!VariantClear + 3 0000000076d83eb1 2 bytes [3B, EF] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[2668] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076d84731 5 bytes JMP 0000000166137a96 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[2668] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076d85dee 5 bytes JMP 000000016615f716 .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[2668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE[2668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 .text D:\pobrane\dmirxzcl.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d41465 2 bytes [D4, 76] .text D:\pobrane\dmirxzcl.exe[4116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d414bb 2 bytes [D4, 76] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3108:3392] 000007fefbb12ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3108:3240] 000007fef7425124 Thread C:\Windows\System32\svchost.exe [4108:2936] 000007fee8629688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b8763fa3abde Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b8763fa3abde (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\User\AppData\Local\Mozilla\Firefox\Profiles\m5spygpl.default-1386528630680\Cache\1\35\C6051m01 0 bytes ---- EOF - GMER 2.1 ----