GMER 2.1.19081 - http://www.gmer.net Rootkit scan 2013-02-23 17:42:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST320LT0 rev.0003 298,09GB Running: wst3ywcr.exe; Driver: C:\Users\ZSORPI~1\AppData\Local\Temp\kwroauog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\PC Tools Firewall Plus\FirewallGUI.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\PC Tools Firewall Plus\FirewallGUI.exe[4856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [760] entry point in ".rdata" section 00000000748a71e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776ef991 7 bytes {MOV EDX, 0xcaca28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776efbd5 7 bytes {MOV EDX, 0xcaca68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776efc05 7 bytes {MOV EDX, 0xcac9a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776efc1d 7 bytes {MOV EDX, 0xcac928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776efc35 7 bytes {MOV EDX, 0xcacb28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776efc65 7 bytes {MOV EDX, 0xcacb68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776efce5 7 bytes {MOV EDX, 0xcacae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776efcfd 7 bytes {MOV EDX, 0xcacaa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776efd49 7 bytes {MOV EDX, 0xcac868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776efe41 7 bytes {MOV EDX, 0xcac8a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776f0099 7 bytes {MOV EDX, 0xcac828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776f10a5 7 bytes {MOV EDX, 0xcac9e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776f111d 7 bytes {MOV EDX, 0xcac968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[8572] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776f1321 7 bytes {MOV EDX, 0xcac8e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776ef991 7 bytes {MOV EDX, 0xc3ee28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776efbd5 7 bytes {MOV EDX, 0xc3ee68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776efc05 7 bytes {MOV EDX, 0xc3eda8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776efc1d 7 bytes {MOV EDX, 0xc3ed28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776efc35 7 bytes {MOV EDX, 0xc3ef28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776efc65 7 bytes {MOV EDX, 0xc3ef68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776efce5 7 bytes {MOV EDX, 0xc3eee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776efcfd 7 bytes {MOV EDX, 0xc3eea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776efd49 7 bytes {MOV EDX, 0xc3ec68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776efe41 7 bytes {MOV EDX, 0xc3eca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776f0099 7 bytes {MOV EDX, 0xc3ec28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776f10a5 7 bytes {MOV EDX, 0xc3ede8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776f111d 7 bytes {MOV EDX, 0xc3ed68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776f1321 7 bytes {MOV EDX, 0xc3ece8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[12520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[13592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[13592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776ef991 7 bytes {MOV EDX, 0xa45228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776efbd5 7 bytes {MOV EDX, 0xa45268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776efc05 7 bytes {MOV EDX, 0xa451a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776efc1d 7 bytes {MOV EDX, 0xa45128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776efc35 7 bytes {MOV EDX, 0xa45328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776efc65 7 bytes {MOV EDX, 0xa45368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776efce5 7 bytes {MOV EDX, 0xa452e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776efcfd 7 bytes {MOV EDX, 0xa452a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776efd49 7 bytes {MOV EDX, 0xa45068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776efe41 7 bytes {MOV EDX, 0xa450a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776f0099 7 bytes {MOV EDX, 0xa45028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776f10a5 7 bytes {MOV EDX, 0xa451e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776f111d 7 bytes {MOV EDX, 0xa45168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776f1321 7 bytes {MOV EDX, 0xa450e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000776ef991 7 bytes {MOV EDX, 0x80c628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000776efbd5 7 bytes {MOV EDX, 0x80c668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000776efc05 7 bytes {MOV EDX, 0x80c5a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000776efc1d 7 bytes {MOV EDX, 0x80c528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000776efc35 7 bytes {MOV EDX, 0x80c728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000776efc65 7 bytes {MOV EDX, 0x80c768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000776efce5 7 bytes {MOV EDX, 0x80c6e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000776efcfd 7 bytes {MOV EDX, 0x80c6a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000776efd49 7 bytes {MOV EDX, 0x80c468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000776efe41 7 bytes {MOV EDX, 0x80c4a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000776f0099 7 bytes {MOV EDX, 0x80c428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776f10a5 7 bytes {MOV EDX, 0x80c5e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000776f111d 7 bytes {MOV EDX, 0x80c568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000776f1321 7 bytes {MOV EDX, 0x80c4e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[14456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[13068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[13068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\FileZilla_3.5.3_win32\FileZilla-3.5.3\filezilla.exe[16076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\FileZilla_3.5.3_win32\FileZilla-3.5.3\filezilla.exe[16076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776a1465 2 bytes [6A, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[15500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776a14bb 2 bytes [6A, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [856:5920] 000007fef55d2154 Thread C:\Windows\system32\svchost.exe [1136:3784] 000007fef7190ea8 Thread C:\Windows\system32\svchost.exe [1136:3792] 000007fef7189db0 Thread C:\Windows\system32\svchost.exe [1136:4136] 000007fef5b238e4 Thread C:\Windows\system32\svchost.exe [1136:4284] 000007fef5b2ccc4 Thread C:\Windows\system32\svchost.exe [1136:4400] 000007fef7191c94 Thread C:\Windows\system32\svchost.exe [1136:10792] 000007fef718aa10 Thread C:\Windows\system32\svchost.exe [1324:2324] 000007fef7c2bd88 Thread C:\Windows\system32\svchost.exe [1324:4528] 000007fef4555170 Thread C:\Windows\system32\svchost.exe [1324:5612] 000007fef7a75124 Thread C:\Windows\System32\spoolsv.exe [1540:2820] 000007fef73a10c8 Thread C:\Windows\System32\spoolsv.exe [1540:2852] 000007fef7366144 Thread C:\Windows\System32\spoolsv.exe [1540:2856] 000007fef8bc5fd0 Thread C:\Windows\System32\spoolsv.exe [1540:2860] 000007fef7343438 Thread C:\Windows\System32\spoolsv.exe [1540:2864] 000007fef8bc63ec Thread C:\Windows\System32\spoolsv.exe [1540:2872] 000007fef7855e5c Thread C:\Windows\System32\spoolsv.exe [1540:2876] 000007fef78f5074 Thread C:\Windows\system32\svchost.exe [1636:1668] 000007fefd3d1a70 Thread C:\Windows\system32\svchost.exe [1636:1672] 000007fefd3d1a70 Thread C:\Windows\system32\svchost.exe [1636:1772] 000007fefd3d1a70 Thread C:\Windows\system32\svchost.exe [1636:1780] 000007fefa002c70 Thread C:\Windows\system32\svchost.exe [1636:1796] 000007fefa00fb40 Thread C:\Windows\system32\svchost.exe [1636:1812] 000007fefa021d20 Thread C:\Windows\system32\svchost.exe [1636:1816] 000007fefa00f6f0 Thread C:\Windows\system32\svchost.exe [1636:2092] 000007fef93c35c0 Thread C:\Windows\system32\svchost.exe [1636:3672] 000007fef93c5600 Thread C:\Windows\system32\svchost.exe [1636:3864] 000007fef5bd2888 Thread C:\Windows\system32\svchost.exe [1636:4060] 000007fef5ae2940 Thread C:\Windows\system32\svchost.exe [1636:2768] 000007fef5bd2a40 Thread C:\Windows\system32\Dwm.exe [1180:9876] 000007fef9d5f0d8 Thread C:\Windows\system32\Dwm.exe [1180:4580] 000007fef999abf0 Thread C:\Windows\system32\svchost.exe [1656:2424] 000007fef8bc5fd0 Thread C:\Windows\system32\svchost.exe [1656:2428] 000007fef8bc63ec Thread C:\Windows\system32\svchost.exe [1656:4380] 000007fef4425f1c Thread C:\Windows\system32\svchost.exe [1656:5604] 000007fef2ce8470 Thread C:\Windows\system32\svchost.exe [1656:5608] 000007fef2cf2418 Thread C:\Windows\system32\svchost.exe [1656:3640] 000007fef4caf130 Thread C:\Windows\system32\svchost.exe [1656:11856] 000007fef4ca4734 Thread C:\Windows\system32\svchost.exe [1656:8956] 000007fef4ca4734 Thread C:\Windows\SysWOW64\svchost.exe [2084:5688] 00000000743717a4 Thread C:\Windows\system32\svchost.exe [3680:4000] 000007fef5c52f9c Thread C:\Windows\System32\svchost.exe [4124:3592] 000007feee5f9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3544:5784] 000007fefbe62a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3544:5188] 000007feeb0ad618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3544:4032] 000007fef7a75124 Thread C:\Windows\SysWOW64\ntdll.dll [2744:1312] 000000000133f680 Thread C:\Windows\SysWOW64\ntdll.dll [2744:10152] 00000000012eede1 Thread C:\Windows\SysWOW64\ntdll.dll [2744:6864] 00000000012eede1 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e4d53dc65f02 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e4d53dc65f02 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----