GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-17 12:38:03 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000071 ST932032 rev.0003 298,09GB Running: ul7bufwy.exe; Driver: C:\Users\Maja\AppData\Local\Temp\kftciaog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\ntdll.dll[2604] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076338791 4 bytes [C2, 04, 00, 00] ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800039a7000 63 bytes [00, 00, 15, 00, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff800039a7042 4 bytes [00, 00, 00, 00] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a (not active ControlSet) Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@0017003adabf 0x20 0xC9 0xF8 0xC2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@0017003adabf 0x20 0xC9 0xF8 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@380b408fedb8 0x28 0xC2 0x5B 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@380b408fedb8 0x28 0xC2 0x5B 0x99 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@3c363de3a1b6 0x2F 0x27 0xF0 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@3c363de3a1b6 0x2F 0x27 0xF0 0x55 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@ec9b5bb9615e 0x90 0xA6 0xD7 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@ec9b5bb9615e 0x90 0xA6 0xD7 0x8B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@30392675319a 0xB4 0xEE 0x6A 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@30392675319a 0xB4 0xEE 0x6A 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@9ce6e7222c79 0xB6 0x04 0x30 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@9ce6e7222c79 0xB6 0x04 0x30 0x66 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@0017d540785d 0xC9 0x1F 0x3C 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@0017d540785d 0xC9 0x1F 0x3C 0x84 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@b8c68eb11178 0xCF 0x18 0x0A 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@b8c68eb11178 0xCF 0x18 0x0A 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4FDF4D15-A63D-4C96-8C68-CAC9FAD461EB}@LeaseObtainedTime 1413535111 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4FDF4D15-A63D-4C96-8C68-CAC9FAD461EB}@T1 1413538711 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4FDF4D15-A63D-4C96-8C68-CAC9FAD461EB}@T2 1413541411 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4FDF4D15-A63D-4C96-8C68-CAC9FAD461EB}@LeaseTerminatesTime 1413542311 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\ntdll.dll [2604:3652] 000000000045afc0 Thread C:\Windows\SysWOW64\ntdll.dll [2604:3848] 00000000004628e0 Thread C:\Windows\SysWOW64\ntdll.dll [2604:3908] 00000000004628e0 Thread C:\Windows\SysWOW64\ntdll.dll [2604:2608] 0000000000485000 Thread C:\Windows\SysWOW64\ntdll.dll [2604:4144] 0000000020303c29 Thread C:\Windows\SysWOW64\ntdll.dll [2604:4256] 0000000020303c29 Thread C:\Windows\SysWOW64\ntdll.dll [2604:4552] 0000000020303c29 Thread C:\Windows\SysWOW64\ntdll.dll [2604:468] 0000000020303c29 Thread C:\Windows\SysWOW64\ntdll.dll [2604:5816] 0000000020303c29 Thread C:\Windows\SysWOW64\ntdll.dll [2604:3680] 0000000021304e40 Thread C:\Windows\SysWOW64\ntdll.dll [2604:3668] 0000000021305540 Thread C:\Windows\SysWOW64\ntdll.dll [2604:3672] 0000000021305540 Thread C:\Windows\SysWOW64\ntdll.dll [2604:3664] 00000000213069b0 Thread C:\Windows\SysWOW64\ntdll.dll [2604:3660] 0000000021306c30 Thread C:\Windows\SysWOW64\ntdll.dll [2604:2976] 0000000021316820 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4940:4380] 000007feee32cf60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4940:5556] 000007fef4c25124 Thread C:\Windows\System32\spoolsv.exe [1484:2856] 000007fef50e3438 Thread C:\Windows\System32\spoolsv.exe [1484:2852] 000007fef50f5fd0 Thread C:\Windows\System32\spoolsv.exe [1484:2860] 000007fef50f63ec Thread C:\Windows\System32\spoolsv.exe [1484:2848] 000007fef5306144 Thread C:\Windows\System32\spoolsv.exe [1484:2840] 000007fef53310c8 Thread C:\Windows\System32\spoolsv.exe [1484:2868] 000007fef8f35e5c Thread C:\Windows\system32\DllHost.exe [4796:2972] 000007fef8f8ae60 Thread C:\Windows\System32\spoolsv.exe [1484:2872] 000007fef9135074 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4940:416] 000007fefb692bf8 ---- EOF - GMER 2.1 ----