GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-06-22 15:23:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500AAJS-00VTA0 rev.01.01B01 232,89GB Running: m57g1hli.exe; Driver: C:\Users\Sebasian\AppData\Local\Temp\kftcrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Windows\system32\services.exe[656] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1260] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1784] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Windows\Explorer.EXE[1428] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1960] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Windows\vsnpstd3.exe[2332] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[2340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[2380] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2708] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2708] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000073791a22 2 bytes [79, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2708] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000073791ad0 2 bytes [79, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2708] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000073791b08 2 bytes [79, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2708] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000073791bba 2 bytes [79, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2708] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000073791bda 2 bytes [79, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2708] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text G:\LogMeIn Hamachi\hamachi-2.exe[3012] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f6ef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1604] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1872] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076c48791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1872] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] .text G:\LogMeIn Hamachi\hamachi-2-ui.exe[1864] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] .text G:\LogMeIn Hamachi\hamachi-2-ui.exe[1864] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text G:\LogMeIn Hamachi\hamachi-2-ui.exe[1864] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3824] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2816] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] .text C:\Users\Sebasian\Downloads\OTL.scr[4420] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] .text C:\Users\Sebasian\Downloads\OTL.scr[4420] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Users\Sebasian\Downloads\OTL.scr[4420] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\Users\Sebasian\Downloads\gm\m57g1hli.exe[4156] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c6a2fd 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7feef79741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7feef795f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7feef795674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7feef795e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7feef797f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7feef796a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7feef796ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7feef797b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7feef797ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7feef7978b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7feef794fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7feef795d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2884] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7feef797584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [532:3944] 000007fee9ba0ea8 Thread C:\Windows\system32\svchost.exe [532:3984] 000007fee9b99db0 Thread C:\Windows\system32\svchost.exe [532:3128] 000007fee9b9aa10 Thread C:\Windows\system32\svchost.exe [532:2180] 000007fee9ba1c94 Thread C:\Windows\system32\svchost.exe [532:5004] 000007fedd56d3c8 Thread C:\Windows\system32\svchost.exe [532:5008] 000007fedd56d3c8 Thread C:\Windows\system32\svchost.exe [532:5012] 000007fedd56d3c8 Thread C:\Windows\system32\svchost.exe [532:5016] 000007fedd56d3c8 Thread C:\Windows\System32\svchost.exe [2860:3760] 000007fedc4d9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1892:4828] 000007fefb2f2bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1892:4836] 000007fedc7d4830 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1892:4256] 000007fef0be5124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1892:4928] 000007fedc759d90 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1892:1688] 000007fedc7d4830 ---- EOF - GMER 2.1 ----