GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-22 16:38:52 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 SAMSUNG_HD642JJ rev.1AA01118 596,17GB Running: gmer.exe; Driver: C:\Users\eafae\AppData\Local\Temp\kwldapob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1584] C:\Windows\system32\PsApi.dll!GetModuleBaseNameA + 506 00007ff9e6b1169a 4 bytes [B1, E6, F9, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1584] C:\Windows\system32\PsApi.dll!GetModuleBaseNameA + 514 00007ff9e6b116a2 4 bytes [B1, E6, F9, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1584] C:\Windows\system32\PsApi.dll!QueryWorkingSet + 118 00007ff9e6b1181a 4 bytes [B1, E6, F9, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe[1584] C:\Windows\system32\PsApi.dll!QueryWorkingSet + 142 00007ff9e6b11832 4 bytes [B1, E6, F9, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1888] C:\Windows\system32\PsApi.dll!GetModuleBaseNameA + 506 00007ff9e6b1169a 4 bytes [B1, E6, F9, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1888] C:\Windows\system32\PsApi.dll!GetModuleBaseNameA + 514 00007ff9e6b116a2 4 bytes [B1, E6, F9, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1888] C:\Windows\system32\PsApi.dll!QueryWorkingSet + 118 00007ff9e6b1181a 4 bytes [B1, E6, F9, 7F] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1888] C:\Windows\system32\PsApi.dll!QueryWorkingSet + 142 00007ff9e6b11832 4 bytes [B1, E6, F9, 7F] .text C:\Windows\System32\dwm.exe[3020] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9e6b1169a 4 bytes [B1, E6, F9, 7F] .text C:\Windows\System32\dwm.exe[3020] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9e6b116a2 4 bytes [B1, E6, F9, 7F] .text C:\Windows\System32\dwm.exe[3020] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9e6b1181a 4 bytes [B1, E6, F9, 7F] .text C:\Windows\System32\dwm.exe[3020] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9e6b11832 4 bytes [B1, E6, F9, 7F] .text C:\Windows\system32\nvvsvc.exe[672] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9e6b1169a 4 bytes [B1, E6, F9, 7F] .text C:\Windows\system32\nvvsvc.exe[672] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9e6b116a2 4 bytes [B1, E6, F9, 7F] .text C:\Windows\system32\nvvsvc.exe[672] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9e6b1181a 4 bytes [B1, E6, F9, 7F] .text C:\Windows\system32\nvvsvc.exe[672] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9e6b11832 4 bytes [B1, E6, F9, 7F] .text C:\Windows\Explorer.EXE[5084] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9e6b1169a 4 bytes [B1, E6, F9, 7F] .text C:\Windows\Explorer.EXE[5084] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9e6b116a2 4 bytes [B1, E6, F9, 7F] .text C:\Windows\Explorer.EXE[5084] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9e6b1181a 4 bytes [B1, E6, F9, 7F] .text C:\Windows\Explorer.EXE[5084] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9e6b11832 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\CCleaner\CCleaner64.exe[3932] C:\Windows\system32\USER32.dll!ShowScrollBar 00007ff9e65a1130 5 bytes JMP 00007ffa66610018 .text C:\Program Files\CCleaner\CCleaner64.exe[3932] C:\Windows\system32\USER32.dll!SetScrollInfo 00007ff9e65a6ff0 5 bytes JMP 00007ffa665c0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3932] C:\Windows\system32\USER32.dll!GetScrollInfo 00007ff9e65b08bc 5 bytes JMP 00007ffa665d0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3932] C:\Windows\system32\USER32.dll!SetScrollRange 00007ff9e65be1e8 5 bytes JMP 00007ffa66600018 .text C:\Program Files\CCleaner\CCleaner64.exe[3932] C:\Windows\system32\USER32.dll!GetScrollPos 00007ff9e65cff10 5 bytes JMP 00007ffa665e0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3932] C:\Windows\system32\USER32.dll!EnableScrollBar 00007ff9e65d8d80 5 bytes JMP 00007ffa665f0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3932] C:\Windows\system32\USER32.dll!SetScrollPos 00007ff9e65d9c10 5 bytes JMP 00007ffa66650018 .text C:\Program Files\CCleaner\CCleaner64.exe[3932] C:\Windows\system32\USER32.dll!GetScrollRange 00007ff9e662a4bc 5 bytes JMP 00007ffa66640018 .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9e72a1040 6 bytes [48, B8, 30, 08, C1, 01] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00007ff9e72a1048 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2228] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1 00007ff9e70dd48d 5 bytes [B8, 30, 08, 22, 01] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2228] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 7 00007ff9e70dd493 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2228] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9e6b1169a 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2228] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9e6b116a2 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2228] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9e6b1181a 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2228] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9e6b11832 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9e72a1040 6 bytes [48, B8, 30, 08, C7, 01] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00007ff9e72a1048 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[2376] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1 00007ff9e70dd48d 5 bytes [B8, 30, 08, 05, 01] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[2376] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 7 00007ff9e70dd493 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[2376] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9e6b1169a 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[2376] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9e6b116a2 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[2376] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9e6b1181a 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[2376] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9e6b11832 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9e72a1040 6 bytes [48, B8, 30, 08, AC, 02] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 00007ff9e72a1048 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2832] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1 00007ff9e70dd48d 5 bytes [B8, 30, 08, 5B, 02] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2832] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 7 00007ff9e70dd493 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2832] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9e6b1169a 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2832] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9e6b116a2 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2832] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9e6b1181a 4 bytes [B1, E6, F9, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2832] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9e6b11832 4 bytes [B1, E6, F9, 7F] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNEL32.DLL!CreateToolhelp32Snapshot 00007ff9e701a8f0 12 bytes [48, B8, C9, 34, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNEL32.DLL!Process32NextW 00007ff9e701b0f0 5 bytes [48, B8, 89, C9, 68] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNEL32.DLL!Process32NextW + 6 00007ff9e701b0f6 6 bytes [00, 00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNEL32.DLL!GetStartupInfoA + 1 00007ff9e70b2731 11 bytes [B8, 09, E2, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!CloseHandle 00007ff9e46214f0 12 bytes [48, B8, 49, 4D, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1 00007ff9e46254c9 11 bytes [B8, 49, BD, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 1 00007ff9e46255b1 11 bytes [B8, 89, BB, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1 00007ff9e4626741 11 bytes [B8, C9, 49, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!CreateMutexW 00007ff9e462688c 12 bytes [48, B8, 89, 4B, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1 00007ff9e4628f99 4 bytes [B8, C9, B9, 68] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 6 00007ff9e4628f9e 6 bytes [00, 00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!GetProcAddress 00007ff9e4629e94 12 bytes [48, B8, 09, BF, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff9e46368c0 5 bytes [48, B8, 89, 28, 68] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW + 6 00007ff9e46368c6 6 bytes [00, 00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory + 1 00007ff9e4644ac1 11 bytes [B8, 89, 3D, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!CreateThread 00007ff9e4699eb0 12 bytes [48, B8, C9, 3B, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!ReadConsoleInputA + 1 00007ff9e46eada5 11 bytes [B8, 49, 70, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!ReadConsoleInputW + 1 00007ff9e46eae11 11 bytes [B8, 09, 72, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!ReadConsoleA 00007ff9e46eb82c 12 bytes [48, B8, C9, 73, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!ReadConsoleW 00007ff9e46eba54 12 bytes [48, B8, 89, 75, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread 00007ff9e46fcddc 12 bytes [48, B8, C9, 1F, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!ShowWindow 00007ff9e65a1190 6 bytes [48, B8, 09, A3, 68, 57] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!ShowWindow + 8 00007ff9e65a1198 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!UnhookWindowsHookEx 00007ff9e65a11f0 6 bytes [48, B8, 89, 7C, 68, 57] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!UnhookWindowsHookEx + 8 00007ff9e65a11f8 4 bytes [00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!GetMessageW 00007ff9e65a2030 12 bytes [48, B8, 09, 6B, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!PeekMessageW + 1 00007ff9e65a3071 11 bytes [B8, 89, 6E, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!PostMessageW + 1 00007ff9e65a34d1 11 bytes [B8, 49, E7, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!CallNextHookEx + 1 00007ff9e65a3be1 11 bytes [B8, C9, 7A, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!SetWindowTextW + 1 00007ff9e65a56e1 11 bytes [B8, 89, AD, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!GetMessageA + 1 00007ff9e65a6401 11 bytes [B8, 49, 69, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!PostMessageA 00007ff9e65a6970 12 bytes [48, B8, 89, E5, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!CreateWindowExW 00007ff9e65a7834 7 bytes [48, B8, 89, 9F, 68, 57, 00] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!CreateWindowExW + 10 00007ff9e65a783e 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExW + 1 00007ff9e65aa861 7 bytes [B8, 09, 1E, 68, 57, 00, 00] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExW + 9 00007ff9e65aa869 3 bytes [00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!CreateWindowExA 00007ff9e65aae38 7 bytes [48, B8, 49, A1, 68, 57, 00] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!CreateWindowExA + 10 00007ff9e65aae42 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!FindWindowExW + 1 00007ff9e65aceb1 11 bytes [B8, 09, C6, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!FindWindowExA + 1 00007ff9e65ad241 7 bytes [B8, 89, C2, 68, 57, 00, 00] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!FindWindowExA + 9 00007ff9e65ad249 3 bytes [00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!FindWindowW + 1 00007ff9e65aec31 7 bytes [B8, 49, C4, 68, 57, 00, 00] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!FindWindowW + 9 00007ff9e65aec39 3 bytes [00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!SetWinEventHook 00007ff9e65b2214 12 bytes [48, B8, 09, 3A, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!CreateDialogIndirectParamAorW + 1 00007ff9e65c0dcd 11 bytes [B8, C9, A4, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!PeekMessageA + 1 00007ff9e65c20e1 11 bytes [B8, C9, 6C, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!UserClientDllInitialize + 1 00007ff9e65c2831 4 bytes [B8, 49, F5, 68] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!UserClientDllInitialize + 6 00007ff9e65c2836 6 bytes [00, 00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!DialogBoxIndirectParamAorW + 1 00007ff9e65d0799 11 bytes [B8, 89, A6, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExA + 1 00007ff9e65fd979 8 bytes [B8, 49, 1C, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!SetWindowsHookExA + 10 00007ff9e65fd982 2 bytes [50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!MessageBoxExA + 1 00007ff9e66236fd 11 bytes [B8, 49, A8, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!MessageBoxExW + 1 00007ff9e6623721 11 bytes [B8, 09, AA, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!FindWindowA + 1 00007ff9e6624881 11 bytes [B8, C9, C0, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\SYSTEM32\user32.dll!SetWindowTextA + 1 00007ff9e662c725 11 bytes [B8, C9, AB, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle + 1 00007ff9e672143d 5 bytes [B8, 09, 5D, 68, 57] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!CloseServiceHandle + 7 00007ff9e6721443 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!OpenServiceW + 1 00007ff9e6721471 5 bytes [B8, C9, 50, 68, 57] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!OpenServiceW + 7 00007ff9e6721477 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW 00007ff9e6727eac 12 bytes [48, B8, 49, 5B, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!OpenServiceA + 1 00007ff9e674f829 5 bytes [B8, 09, 4F, 68, 57] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!OpenServiceA + 7 00007ff9e674f82f 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!ControlService + 1 00007ff9e674f849 5 bytes [B8, 09, 56, 68, 57] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!ControlService + 7 00007ff9e674f84f 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA 00007ff9e677cc48 12 bytes [48, B8, 89, 59, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 1 00007ff9e677ccb1 5 bytes [B8, 89, 52, 68, 57] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!ControlServiceExA + 7 00007ff9e677ccb7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 1 00007ff9e677ccc1 5 bytes [B8, 49, 54, 68, 57] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!ControlServiceExW + 7 00007ff9e677ccc7 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!CreateServiceA 00007ff9e677cd04 12 bytes [48, B8, C9, 65, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!CreateServiceW 00007ff9e677cd88 12 bytes [48, B8, 89, 67, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!DeleteService + 1 00007ff9e677d1b5 5 bytes [B8, C9, 57, 68, 57] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\ADVAPI32.dll!DeleteService + 7 00007ff9e677d1bb 5 bytes [00, 00, 00, 50, C3] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1 00007ff9e4dec901 11 bytes [B8, 49, 7E, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!closesocket 00007ff9e6d71ac0 12 bytes [48, B8, C9, B2, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!WSASocketW 00007ff9e6d72190 12 bytes [48, B8, 09, B1, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!socket + 1 00007ff9e6d724a1 11 bytes [B8, 89, D7, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!GetAddrInfoW 00007ff9e6d72bb0 12 bytes [48, B8, 49, 9A, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!GetAddrInfoExW 00007ff9e6d78a90 12 bytes [48, B8, 09, 9C, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!WSASend + 1 00007ff9e6d7f381 11 bytes [B8, 89, B4, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!recv + 1 00007ff9e6d7f561 11 bytes [B8, C9, DC, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!WSARecv + 1 00007ff9e6d7ffd1 11 bytes [B8, 89, DE, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!connect 00007ff9e6d807f0 12 bytes [48, B8, 49, 62, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!send + 1 00007ff9e6d80f61 11 bytes [B8, 49, AF, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!WSAConnect + 1 00007ff9e6d869b1 11 bytes [B8, 09, DB, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\WS2_32.dll!gethostbyname + 1 00007ff9e6d94749 11 bytes [B8, C9, 9D, 68, 57, 00, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\DNSAPI.dll!DnsQueryEx 00007ff9e3aa33a0 12 bytes [48, B8, C9, D5, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 00007ff9e3ac2ff0 12 bytes [48, B8, 09, D4, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 00007ff9e3ad1b74 12 bytes [48, B8, 49, D2, 68, 57, 00, ...] .text C:\Windows\system32\taskhost.exe[3660] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 00007ff9e3affcec 12 bytes [48, B8, 89, D0, 68, 57, 00, ...] ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\drivers\lyhot.sys (FILE NOT FOUND) fffff8000bed5000-fffff8000beeb000 (90112 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [1516:760] fffff96000969b90 ---- Processes - GMER 2.1 ---- Library \\?\C:\Program Files\Common Files\Bitdefender\Bitdefender Threat Scanner\trufos.dll (*** suspicious ***) @ C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe [2376] (FILE NOT FOUND) 00007ff9d1930000 Process C:\Users\eafae\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe (*** suspicious ***) @ C:\Users\eafae\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe [2340](2014-01-28 17:36:04) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\cleanup.old??\??\C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware??\??\C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.old??\??\C:\Users\eafae\AppData\Local\Temp\_iu14D2N.tmp??\??\C:\Users\eafae\AppData\Local\Temp\nsf5791.tmp\g\??\??\C:\Users\eafae\AppData\Local\Temp\nsf5791.tmp\??\??\C:\Users\eafae\AppData\Local\Temp\RarSFX1\bdmetrics.dll??\??\C:\Users\eafae\AppData\Local\Temp\RarSFX1\bdnc.dll??\??\C:\Users\eafae\AppData\Local\Temp\RarSFX1\en-US\setupdownloader.ui??\??\C:\Users\eafae\AppData\Local\Temp\RarSFX1\en-US??\??\C:\Users\eafae\AppData\Local\Temp\RarSFX1\htmlayout.dll??\??\C:\Users\eafae\AppData\Local\Temp\RarSFX1\setupdownloader.exe??\??\C:\Users\eafae\AppData\Local\Temp\RarSFX1\UninstallLib.dll??\??\C:\Users\eafae\AppData\Local\Temp\RarSFX1\WSUtils.dll??\??\C:\Users\eafae\AppData\Local\Temp\RarSFX1\?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1818421699 Reg HKLM\SYSTEM\CurrentControlSet\Services\gzflt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\gzflt Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_unspecified_79c0bedf235bdfb1643d20558bd419fccfff9e7_00000000_03c469cc Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0x44 0x00 0x02 0x00 ... Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@FirstLevelConsentDialog 0x16 0x05 0x3A 0x00 ... ---- EOF - GMER 2.1 ----