GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-25 21:27:04 Windows 6.1.7601 Service Pack 1 x64 Running: mrnp874q.exe ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167c36e22 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167c36e22@6c9b02ba7e50 0x3C 0x27 0x17 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167c36e22@a07591da940f 0xC6 0x15 0x1D 0x8C ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167c36e22 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167c36e22@6c9b02ba7e50 0x3C 0x27 0x17 0x0F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167c36e22@a07591da940f 0xC6 0x15 0x1D 0x8C ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Files - GMER 2.1 ---- File C:\System Volume Information\Chkdsk 0 bytes File C:\System Volume Information\Chkdsk\Chkdsk20130521052615.log 30720 bytes File C:\System Volume Information\Chkdsk\Chkdsk20131213195148.log 5120 bytes File C:\System Volume Information\Chkdsk\Chkdsk20140305153622.log 38912 bytes File C:\System Volume Information\Chkdsk\Chkdsk20140327062951.log 6144 bytes File C:\System Volume Information\Chkdsk\Chkdsk20140331142457.log 18432 bytes File C:\System Volume Information\MountPointManagerRemoteDatabase 0 bytes File C:\System Volume Information\SPP 0 bytes File C:\System Volume Information\SPP\OnlineMetadataCache 0 bytes File C:\System Volume Information\SPP\OnlineMetadataCache\{0c7814d4-461d-4bd6-8057-377cbb929d56}_OnDiskSnapshotProp 10632 bytes File C:\System Volume Information\SPP\OnlineMetadataCache\{ad0b30bd-2e7f-4a05-b691-8d2c101b26ba}_OnDiskSnapshotProp 10632 bytes File C:\System Volume Information\SPP\OnlineMetadataCache\{c9e46443-5926-4417-a5f2-e439c084cf89}_OnDiskSnapshotProp 10712 bytes File C:\System Volume Information\SPP\OnlineMetadataCache\{d5b69b26-7c19-4e18-bcf2-40eb95f3184a}_OnDiskSnapshotProp 10712 bytes File C:\System Volume Information\SPP\SppCbsHiveStore 0 bytes File C:\System Volume Information\SPP\SppGroupCache 0 bytes File C:\System Volume Information\SPP\SppGroupCache\{0C7814D4-461D-4BD6-8057-377CBB929D56}_DriverPackageInfo 69248 bytes File C:\System Volume Information\SPP\SppGroupCache\{0C7814D4-461D-4BD6-8057-377CBB929D56}_WindowsUpdateInfo 272 bytes File C:\System Volume Information\SPP\SppGroupCache\{AD0B30BD-2E7F-4A05-B691-8D2C101B26BA}_DriverPackageInfo 69248 bytes File C:\System Volume Information\SPP\SppGroupCache\{AD0B30BD-2E7F-4A05-B691-8D2C101B26BA}_WindowsUpdateInfo 272 bytes File C:\System Volume Information\SPP\SppGroupCache\{C9E46443-5926-4417-A5F2-E439C084CF89}_DriverPackageInfo 69248 bytes File C:\System Volume Information\SPP\SppGroupCache\{C9E46443-5926-4417-A5F2-E439C084CF89}_WindowsUpdateInfo 272 bytes File C:\System Volume Information\SPP\SppGroupCache\{D5B69B26-7C19-4E18-BCF2-40EB95F3184A}_DriverPackageInfo 69248 bytes File C:\System Volume Information\SPP\SppGroupCache\{D5B69B26-7C19-4E18-BCF2-40EB95F3184A}_WindowsUpdateInfo 272 bytes File C:\System Volume Information\Syscache.hve 29360128 bytes File C:\System Volume Information\Syscache.hve.LOG1 262144 bytes File C:\System Volume Information\Syscache.hve.LOG2 0 bytes File C:\System Volume Information\SystemRestore 0 bytes File C:\System Volume Information\SystemRestore\FRStaging 0 bytes File C:\System Volume Information\SystemRestore\FRStaging\Windows 0 bytes File C:\System Volume Information\SystemRestore\FRStaging\Windows\System32 0 bytes File C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\DriverStore 0 bytes File C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\DriverStore\FileRepository 0 bytes File C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\DriverStore\Temp 0 bytes File C:\System Volume Information\tracking.log 20480 bytes File C:\System Volume Information\Windows Backup 0 bytes File C:\System Volume Information\Windows Backup\Catalogs 0 bytes File C:\System Volume Information\Windows Backup\Catalogs\GlobalCatalog.wbcat 136 bytes File C:\System Volume Information\Windows Backup\Catalogs\GlobalCatalogLock.dat 0 bytes File C:\System Volume Information\WindowsImageBackup 0 bytes File C:\System Volume Information\WindowsImageBackup\SPPMetadataCache 0 bytes File C:\System Volume Information\{0823a8e0-c167-11e3-8ca9-001167c36e22}{3808876b-c176-4e48-b7ae-04046e6cc752} -2126348288 bytes File C:\System Volume Information\{312ec720-c71d-11e3-b899-001167c36e22}{3808876b-c176-4e48-b7ae-04046e6cc752} -1040203776 bytes File C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} 65536 bytes File C:\System Volume Information\{caa414cd-b5d7-11e3-8de3-001167c36e22}{3808876b-c176-4e48-b7ae-04046e6cc752} 566325248 bytes File C:\System Volume Information\{d0992403-bafc-11e3-8500-001167c36e22}{3808876b-c176-4e48-b7ae-04046e6cc752} -1951383552 bytes File C:\Windows\CSC\v2.0.6\namespace 0 bytes File C:\Windows\CSC\v2.0.6\pq 64 bytes File C:\Windows\CSC\v2.0.6\sm 4 bytes File C:\Windows\CSC\v2.0.6\temp 0 bytes File C:\Windows\CSC\v2.0.6\temp\ea-{ec1903ca-96df-11e1-8f1f-94672a594c9f} 0 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl 0 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl 72 bytes ---- EOF - GMER 2.1 ----