GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-24 20:07:14 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.MH00 298,09GB Running: k9d5eskd.exe; Driver: C:\Users\User\AppData\Local\Temp\kwldapob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[2796] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076a08791 4 bytes [C2, 04, 00, 00] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef578741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef5785f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef5785674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef5785e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef5787f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef5786a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef5786ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef5787b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef5787ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef57878b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef5784fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef5785d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3484] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef5787584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\windows\System32\svchost.exe [308:3496] 000007fef2006b8c Thread C:\windows\System32\svchost.exe [308:3876] 000007fef2001d88 Thread C:\windows\System32\svchost.exe [448:1340] 000007fefaf7ffc0 Thread C:\windows\System32\svchost.exe [448:1384] 000007fefa71331c Thread C:\windows\System32\svchost.exe [448:1764] 000007fef9e059a0 Thread C:\windows\System32\svchost.exe [448:4372] 000007fefcb91a70 Thread C:\windows\System32\svchost.exe [448:5684] 000007fef23c20c0 Thread C:\windows\System32\svchost.exe [448:5720] 000007fef23c26a8 Thread C:\windows\System32\svchost.exe [448:6028] 000007fef5a144e0 Thread C:\windows\System32\svchost.exe [448:6684] 000007fef5a1d190 Thread C:\windows\System32\svchost.exe [448:7040] 000007fef1923efc Thread C:\windows\System32\svchost.exe [448:7104] 000007fef1968a4c Thread C:\windows\System32\svchost.exe [448:1180] 000007fef5a38730 Thread C:\windows\System32\svchost.exe [448:6984] 000007fef5e488f8 Thread C:\windows\system32\svchost.exe [704:4956] 000007fef50b0ea8 Thread C:\windows\system32\svchost.exe [704:4960] 000007fef50a9db0 Thread C:\windows\system32\svchost.exe [704:3016] 000007fef50aaa10 Thread C:\windows\system32\svchost.exe [704:1824] 000007fef50b1c94 Thread C:\windows\system32\svchost.exe [704:5368] 000007fef273d3c8 Thread C:\windows\system32\svchost.exe [704:5396] 000007fef273d3c8 Thread C:\windows\system32\svchost.exe [704:5392] 000007fef273d3c8 Thread C:\windows\system32\svchost.exe [704:5400] 000007fef273d3c8 Thread C:\windows\system32\svchost.exe [1260:1536] 000007fefad78274 Thread C:\windows\system32\svchost.exe [1260:1680] 000007fefad78274 Thread C:\windows\system32\svchost.exe [1428:4184] 000007fef4a35388 Thread C:\windows\system32\svchost.exe [1428:4188] 000007fef4a17738 Thread C:\windows\system32\svchost.exe [1428:4192] 000007fef4a01f90 Thread C:\windows\Explorer.EXE [1772:2572] 000007fef9ab2154 Thread C:\windows\Explorer.EXE [1772:3120] 000007fef5d22118 Thread C:\windows\Explorer.EXE [1772:3136] 000007fef8fd2f9c Thread C:\windows\system32\WLANExt.exe [1784:1888] 000000018000b674 Thread C:\windows\system32\WLANExt.exe [1784:1892] 000000018000b690 Thread C:\windows\system32\WLANExt.exe [1784:1896] 000000018000b658 Thread C:\windows\system32\WLANExt.exe [1784:1900] 0000000180022170 Thread C:\windows\system32\WLANExt.exe [1784:1904] 000007fef8fd2f9c Thread C:\windows\System32\spoolsv.exe [1988:4200] 000007fef49d10c8 Thread C:\windows\System32\spoolsv.exe [1988:4208] 000007fef49a6144 Thread C:\windows\System32\spoolsv.exe [1988:4212] 000007fefa335fd0 Thread C:\windows\System32\spoolsv.exe [1988:4216] 000007fef4943438 Thread C:\windows\System32\spoolsv.exe [1988:4220] 000007fefa3363ec Thread C:\windows\System32\spoolsv.exe [1988:4244] 000007fef4c55e5c Thread C:\windows\System32\spoolsv.exe [1988:4264] 000007fef4c85074 Thread C:\windows\System32\spoolsv.exe [1988:4552] 000007fef4cf2288 Thread C:\windows\system32\taskhost.exe [1228:1328] 000007fef8b93d18 Thread C:\windows\system32\taskhost.exe [1228:1380] 000007fef8be1f38 Thread C:\windows\system32\taskhost.exe [1228:1388] 000007fef8bf2740 Thread C:\windows\system32\taskhost.exe [1228:3984] 000007fefb201010 Thread C:\windows\system32\svchost.exe [2112:2788] 000007fefa5735c0 Thread C:\windows\system32\svchost.exe [2112:2792] 000007fefa575600 Thread C:\windows\system32\svchost.exe [2112:5312] 000007fef2032888 Thread C:\windows\system32\svchost.exe [2112:5288] 000007fef2022940 Thread C:\windows\system32\svchost.exe [2912:6268] 000007fef1998470 Thread C:\windows\system32\svchost.exe [2912:6272] 000007fef19a2418 Thread C:\windows\system32\svchost.exe [2912:5912] 000007fee9c0f130 Thread C:\windows\system32\svchost.exe [2912:5728] 000007fee9c04734 Thread C:\windows\system32\svchost.exe [2912:3012] 000007fee9c04734 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3536:3736] 000000006e496358 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3536:3744] 000000006e08f71d Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3536:3784] 000000006e08f71d Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3536:3788] 000000006e085b1a Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3536:4632] 000000006e440b14 Thread C:\windows\system32\svchost.exe [5596:5704] 000007fef8fd2f9c Thread C:\windows\system32\svchost.exe [5632:5648] 000007feff6ba808 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5324:5260] 000007fefb4b2bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5324:6396] 000007feec044830 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5324:5744] 000007fef4b65124 Thread C:\windows\System32\svchost.exe [6252:6680] 000007fef8145170 Thread C:\windows\System32\svchost.exe [6252:6660] 000007fef4b69874 Thread C:\windows\system32\DllHost.exe [7056:7108] 000000006b0ae320 ---- Processes - GMER 2.1 ---- Process \\?\C:\windows\system32\wbem\WMIADAP.EXE (*** suspicious ***) @ \\?\C:\windows\system32\wbem\WMIADAP.EXE [5952] (WMI Reverse Performance Adapter Maintenance Utility/Microsoft Corporation)(2009-07-13 23:47:22) 00000000ffa60000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395f69f0b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52afa88d22 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395f69f0b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52afa88d22 (not active ControlSet) ---- EOF - GMER 2.1 ----