GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-11 13:07:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JEDO 596,17GB Running: f9n0yces.exe; Driver: C:\Users\E14S\AppData\Local\Temp\uxldqpod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003209000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff8000320902f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\lsass.exe [892:948] 000007fefc88df50 Thread C:\Windows\System32\svchost.exe [1344:1104] 000007fef67c20c0 Thread C:\Windows\System32\svchost.exe [1344:4016] 000007fef67c26a8 Thread C:\Windows\System32\svchost.exe [1344:4148] 000007fef67c29dc Thread C:\Windows\System32\svchost.exe [1344:7184] 000007feed8a3efc Thread C:\Windows\System32\svchost.exe [1344:7992] 000007feed8e8a4c Thread C:\Windows\system32\svchost.exe [1384:1444] 000007fefb60034c Thread C:\Windows\system32\svchost.exe [1384:1448] 000007fefb5ffb90 Thread C:\Windows\system32\svchost.exe [1384:3916] 000007fef6e00ea8 Thread C:\Windows\system32\svchost.exe [1384:3920] 000007fef6df9db0 Thread C:\Windows\system32\svchost.exe [1384:4056] 000007fef6dfaa10 Thread C:\Windows\system32\svchost.exe [1384:1700] 000007fef6e01c94 Thread C:\Windows\system32\svchost.exe [1384:6876] 000007fef8f9d3c8 Thread C:\Windows\system32\svchost.exe [1384:7064] 000007fef8f9d3c8 Thread C:\Windows\system32\svchost.exe [1384:7016] 000007fef8f9d3c8 Thread C:\Windows\system32\svchost.exe [1384:7164] 000007fef8f9d3c8 Thread C:\Windows\system32\svchost.exe [1820:1860] 000007fef9d1341c Thread C:\Windows\system32\svchost.exe [1820:1868] 000007fef9d13a2c Thread C:\Windows\system32\svchost.exe [1820:1872] 000007fef9d13768 Thread C:\Windows\system32\svchost.exe [1820:1876] 000007fef9d15c20 Thread C:\Windows\system32\svchost.exe [1820:2760] 000007fef87ebd88 Thread C:\Windows\system32\svchost.exe [1820:2872] 000007fef85a83d8 Thread C:\Windows\system32\svchost.exe [1820:2876] 000007fef85a83d8 Thread C:\Windows\system32\svchost.exe [1820:2880] 000007fef84e00cc Thread C:\Windows\system32\svchost.exe [1820:2884] 000007fef85a83d8 Thread C:\Windows\system32\svchost.exe [1820:2888] 000007fef85a83d8 Thread C:\Windows\system32\svchost.exe [1820:3700] 000007fef6d43f1c Thread C:\Windows\system32\svchost.exe [1820:3720] 000007fef71f22b8 Thread C:\Windows\system32\svchost.exe [1820:3724] 000007fef71f1a38 Thread C:\Windows\system32\svchost.exe [1820:3728] 000007fef6ca5388 Thread C:\Windows\system32\svchost.exe [1820:3736] 000007fef6c87738 Thread C:\Windows\system32\svchost.exe [1820:3744] 000007fef6c71f90 Thread C:\Windows\system32\svchost.exe [1820:6780] 000007fef8625124 Thread C:\Windows\system32\svchost.exe [1820:7468] 000007fef9d13900 Thread C:\Windows\system32\WLANExt.exe [1908:1960] 00000000008f86e4 Thread C:\Windows\system32\WLANExt.exe [1908:1964] 00000000008f86e4 Thread C:\Windows\System32\spoolsv.exe [1996:3892] 000007fef6a510c8 Thread C:\Windows\System32\spoolsv.exe [1996:3944] 000007fef6876144 Thread C:\Windows\System32\spoolsv.exe [1996:3952] 000007fef6825fd0 Thread C:\Windows\System32\spoolsv.exe [1996:3960] 000007fef69d3438 Thread C:\Windows\System32\spoolsv.exe [1996:3964] 000007fef68263ec Thread C:\Windows\System32\spoolsv.exe [1996:3988] 000007fef6b55e5c Thread C:\Windows\System32\spoolsv.exe [1996:4000] 000007fef68a5074 Thread C:\Windows\System32\spoolsv.exe [1996:4472] 000007fef6912288 Thread C:\Windows\system32\svchost.exe [2024:916] 000007fefc581a70 Thread C:\Windows\system32\svchost.exe [2024:1020] 000007fefc581a70 Thread C:\Windows\system32\svchost.exe [2024:1428] 000007fefc581a70 Thread C:\Windows\system32\svchost.exe [2024:1392] 000007fef9282c70 Thread C:\Windows\system32\svchost.exe [2024:1488] 000007fef928fb40 Thread C:\Windows\system32\svchost.exe [2024:1544] 000007fef92a1d20 Thread C:\Windows\system32\svchost.exe [2024:1576] 000007fef928f6f0 Thread C:\Windows\system32\svchost.exe [2024:2248] 000007fef8d235c0 Thread C:\Windows\system32\svchost.exe [2024:3016] 000007fef8d25600 Thread C:\Windows\system32\svchost.exe [2024:6556] 000007fef4ea2940 Thread C:\Windows\system32\svchost.exe [2024:6580] 000007fef3262888 Thread C:\Windows\system32\svchost.exe [2024:4468] 000007fef3262a40 Thread C:\Windows\system32\svchost.exe [2832:2852] 000007fefe53a808 Thread C:\Windows\system32\svchost.exe [2832:2928] 000007fef8467130 Thread C:\Windows\system32\svchost.exe [2832:2932] 000007fef845d5c0 Thread C:\Windows\system32\svchost.exe [3888:2732] 000007fefe53a808 Thread C:\Windows\system32\svchost.exe [3888:4112] 000007fef66a6e5c Thread C:\Windows\system32\svchost.exe [3888:4116] 000007fef66a5708 Thread C:\Windows\system32\svchost.exe [6624:6656] 000007fefe53a808 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [7112:7012] 000007fefac82a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [7112:5104] 000007fef8625124 Thread C:\Windows\system32\svchost.exe [3484:6644] 000007fef9008470 Thread C:\Windows\system32\svchost.exe [3484:6204] 000007fef9012418 Thread C:\Windows\system32\svchost.exe [3484:5640] 000007fef6825fd0 Thread C:\Windows\system32\svchost.exe [3484:5848] 000007fef68263ec Thread C:\Windows\System32\svchost.exe [6196:1464] 000007fef8629874 Thread C:\Windows\system32\DllHost.exe [7216:7848] 000007fefe280168 Thread C:\Windows\system32\DllHost.exe [7216:8004] 000007feed69ae60 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [6056:4020] 000007feece7b6cc Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [6056:1112] 000007feecd3b62c Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [6056:6352] 000007feecd3b62c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737b36cd4 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737b424fa Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737b424fa@d0176a4e28eb 0x1F 0xA5 0x71 0x42 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737b424fa@00265dbbcb71 0x67 0xF3 0xEA 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737b424fa@18002dc99ac1 0x22 0x54 0xCC 0x9E ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{36113BA9-7C5B-403F-9AFE-50CF47E7B99F}@LeaseObtainedTime 1392118082 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{36113BA9-7C5B-403F-9AFE-50CF47E7B99F}@T1 1392161282 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{36113BA9-7C5B-403F-9AFE-50CF47E7B99F}@T2 1392193682 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{36113BA9-7C5B-403F-9AFE-50CF47E7B99F}@LeaseTerminatesTime 1392204482 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737b36cd4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737b424fa (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737b424fa@d0176a4e28eb 0x1F 0xA5 0x71 0x42 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737b424fa@00265dbbcb71 0x67 0xF3 0xEA 0x25 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737b424fa@18002dc99ac1 0x22 0x54 0xCC 0x9E ... ---- EOF - GMER 2.1 ----