GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-04 17:48:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HGST_HTS rev.GG2Z 465,76GB Running: m57g1hli.exe; Driver: C:\Users\Daniel\AppData\Local\Temp\kgtdrpob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002fef000 45 bytes [00, 00, 00, 00, 52, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002fef02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe[1688] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075878769 4 bytes [C2, 04, 00, 00] .text C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE[2496] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007778fd98 7 bytes [68, A4, D7, 47, 25, C3, 90] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4668] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007778fd98 7 bytes [68, A4, D7, CB, 03, C3, 90] .text C:\Program Files (x86)\Garmin\ANT Agent\ANT Agent.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007778fd98 7 bytes [68, A4, D7, EF, 03, C3, 90] .text C:\Users\Daniel\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[4964] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007778fd98 7 bytes [68, A4, D7, 6F, 6C, C3, 90] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1316] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007778fd98 4 bytes [68, A4, D7, 2E] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[1316] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile + 5 000000007778fd9d 2 bytes [C3, 90] .text C:\Program Files (x86)\FreeCommander\FreeCommander.exe[8320] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007778fd98 7 bytes [68, A4, D7, AF, 02, C3, 90] .text C:\Program Files (x86)\Notepad++\notepad++.exe[6828] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007778fd98 4 bytes [68, A4, D7, 1A] .text C:\Program Files (x86)\Notepad++\notepad++.exe[6828] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile + 5 000000007778fd9d 2 bytes [C3, 90] .text C:\Users\Daniel\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[6296] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Users\Daniel\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[6296] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\lsass.exe [872:896] 000007fefd0cdf50 Thread C:\Windows\System32\svchost.exe [1124:1292] 000007fefbb9f2f4 Thread C:\Windows\System32\svchost.exe [1124:1308] 000007fefbb16204 Thread C:\Windows\System32\svchost.exe [1124:1544] 000007fefa5a5428 Thread C:\Windows\System32\svchost.exe [1124:5052] 000007feec8d6b8c Thread C:\Windows\System32\svchost.exe [1124:7568] 000007feec8d1d88 Thread C:\Windows\System32\svchost.exe [1124:9396] 000007fefa772070 Thread C:\Windows\System32\svchost.exe [1124:9256] 000007fef7da5fd0 Thread C:\Windows\System32\svchost.exe [1124:2796] 000007fefdc2c608 Thread C:\Windows\System32\svchost.exe [1172:6604] 000007fef27444e0 Thread C:\Windows\System32\svchost.exe [1172:8520] 000007fef90b88f8 Thread C:\Windows\System32\svchost.exe [1172:10060] 000007fef0b63efc Thread C:\Windows\System32\svchost.exe [1172:7512] 000007fef4e58a4c Thread C:\Windows\system32\svchost.exe [1204:1804] 000007fef9ab1e00 Thread C:\Windows\system32\svchost.exe [1204:1816] 000007fef98c1a50 Thread C:\Windows\system32\svchost.exe [1204:2112] 000007fefcdc1a70 Thread C:\Windows\system32\svchost.exe [1204:2804] 000007fefcdc1a70 Thread C:\Windows\system32\svchost.exe [1204:3948] 000007fef710506c Thread C:\Windows\system32\svchost.exe [1204:3952] 000007fef8271c20 Thread C:\Windows\system32\svchost.exe [1204:3960] 000007fef8271c20 Thread C:\Windows\system32\svchost.exe [1204:10104] 000007fefa341ab0 Thread C:\Windows\system32\svchost.exe [1524:2400] 000007fef924bd88 Thread C:\Windows\system32\svchost.exe [1524:7196] 000007fef6115170 Thread C:\Windows\system32\svchost.exe [1524:7792] 000007fef90f5124 Thread C:\Windows\system32\svchost.exe [1524:3892] 000007fef409341c Thread C:\Windows\system32\svchost.exe [1524:7640] 000007fef4093a2c Thread C:\Windows\system32\svchost.exe [1524:4704] 000007fef4093768 Thread C:\Windows\system32\svchost.exe [1524:8024] 000007fef4095c20 Thread C:\Windows\system32\svchost.exe [1524:9132] 000007fef4093900 Thread C:\Windows\system32\WLANExt.exe [1676:1784] 000000018000b6d4 Thread C:\Windows\system32\WLANExt.exe [1676:1788] 000000018000b6f0 Thread C:\Windows\system32\WLANExt.exe [1676:1792] 000000018000b6b8 Thread C:\Windows\system32\WLANExt.exe [1676:1796] 00000001800221a0 Thread C:\Windows\system32\WLANExt.exe [1676:1800] 000007fef99c2f9c Thread C:\Windows\System32\spoolsv.exe [1840:3004] 000007fef7ff10c8 Thread C:\Windows\System32\spoolsv.exe [1840:3024] 000007fef7fb6144 Thread C:\Windows\System32\spoolsv.exe [1840:3028] 000007fef7da5fd0 Thread C:\Windows\System32\spoolsv.exe [1840:3032] 000007fef7d93438 Thread C:\Windows\System32\spoolsv.exe [1840:3036] 000007fef7da63ec Thread C:\Windows\System32\spoolsv.exe [1840:3044] 000007fef8095e5c Thread C:\Windows\System32\spoolsv.exe [1840:3048] 000007fef80c5074 Thread C:\Windows\System32\spoolsv.exe [1840:1620] 000007fef8132288 Thread C:\Windows\system32\svchost.exe [1872:1892] 000007fef93d35c0 Thread C:\Windows\system32\svchost.exe [1872:1980] 000007fef93d5600 Thread C:\Windows\system32\svchost.exe [1872:3248] 000007fef7922940 Thread C:\Windows\system32\svchost.exe [1872:4008] 000007fef60d2888 Thread C:\Windows\system32\svchost.exe [3108:3124] 000007fefdf0a808 Thread C:\Windows\system32\svchost.exe [3108:3160] 000007fef7936e5c Thread C:\Windows\system32\svchost.exe [7692:7780] 000007fef7be8470 Thread C:\Windows\system32\svchost.exe [7692:7784] 000007fef7bf2418 Thread C:\Windows\system32\svchost.exe [7692:3400] 000007feec82f130 Thread C:\Windows\system32\svchost.exe [7692:5544] 000007feec824734 Thread C:\Windows\system32\svchost.exe [7692:1408] 000007fef90f5124 Thread C:\Windows\system32\svchost.exe [7692:5828] 000007feec824734 Thread C:\Windows\system32\svchost.exe [7692:4444] 000007fef7da5fd0 Thread C:\Windows\system32\svchost.exe [7692:5904] 000007fef7da63ec Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [7324:4372] 000007fef039b6cc Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [7324:4412] 000007fef025b62c Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [7324:4076] 000007fef025b62c Thread C:\Windows\System32\svchost.exe [7252:1260] 000007fee6029688 Thread C:\Windows\system32\AUDIODG.EXE [9232:9828] 0000000074f58b68 Thread C:\Windows\system32\AUDIODG.EXE [9232:6692] 0000000074f43ec0 Thread C:\Windows\system32\AUDIODG.EXE [9232:9512] 000007fef9a62efc Thread C:\Windows\system32\AUDIODG.EXE [9232:6084] 000007fef9a63238 Thread C:\Windows\system32\DllHost.exe [7828:7084] 000007feec94ae60 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\083e8ea4d538 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffaf444d9 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\083e8ea4d538 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffaf444d9 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----