GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-29 14:16:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: 7861xl2i.exe; Driver: C:\Users\Lenovo\AppData\Local\Temp\kfrdapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800035b8000 45 bytes [00, 00, 0D, 02, 4D, 64, 6C, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 574 fffff800035b802e 17 bytes [10, 00, 00, 40, 2C, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1600] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000073981b41 2 bytes [98, 73] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1600] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000073981be8 2 bytes [98, 73] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1600] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000073981c20 2 bytes [98, 73] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1600] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000073981cd2 2 bytes [98, 73] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1600] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000073981cf2 2 bytes [98, 73] .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077b36f80 5 bytes JMP 0000000169ff0038 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdad8ef0 5 bytes JMP 000007fffdac00b8 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefdadbfd0 5 bytes JMP 000007fffdac0038 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe347490 5 bytes JMP 000007fffdac0138 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa20a38c 5 bytes JMP 000007fefdac02b8 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa224b60 5 bytes JMP 000007fefdac0238 .text C:\windows\system32\taskhost.exe[1912] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa224ba0 5 bytes JMP 000007fefdac01b8 .text C:\windows\system32\Dwm.exe[1956] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077b36f80 5 bytes JMP 0000000169ff0038 .text C:\windows\system32\Dwm.exe[1956] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdad8ef0 5 bytes JMP 000007fffdab00b8 .text C:\windows\system32\Dwm.exe[1956] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefdadbfd0 5 bytes JMP 000007fffdab0038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2316] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077b36f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2316] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdad8ef0 5 bytes JMP 000007fffdac00b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2316] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefdadbfd0 5 bytes JMP 000007fffdac0038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2316] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa20a38c 5 bytes JMP 000007fefdac02b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2316] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa224b60 5 bytes JMP 000007fefdac0238 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2316] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa224ba0 5 bytes JMP 000007fefdac01b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2316] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe347490 5 bytes JMP 000007fffdac0138 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2376] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077b36f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2376] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdad8ef0 5 bytes JMP 000007fffdac00b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2376] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefdadbfd0 5 bytes JMP 000007fffdac0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2376] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa20a38c 5 bytes JMP 000007fefdac02b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2376] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa224b60 5 bytes JMP 000007fefdac0238 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2376] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa224ba0 5 bytes JMP 000007fefdac01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2376] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe347490 5 bytes JMP 000007fffdac0138 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[2400] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077b36f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[2400] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdad8ef0 5 bytes JMP 000007fffdac00b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[2400] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefdadbfd0 5 bytes JMP 000007fffdac0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[2420] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077b36f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[2420] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdad8ef0 5 bytes JMP 000007fffdab00b8 .text C:\Program Files\Microsoft Security Client\msseces.exe[2420] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefdadbfd0 5 bytes JMP 000007fffdab0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[2420] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe347490 5 bytes JMP 000007fffdab0138 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3452] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077b36f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3452] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdad8ef0 5 bytes JMP 000007fffdac00b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3452] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefdadbfd0 5 bytes JMP 000007fffdac0038 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3452] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe347490 5 bytes JMP 000007fffdac0138 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3452] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa20a38c 5 bytes JMP 000007fefdac02b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3452] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa224b60 5 bytes JMP 000007fefdac0238 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3452] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa224ba0 5 bytes JMP 000007fefdac01b8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3608] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExA 0000000076ba48b3 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3608] C:\windows\syswow64\KERNEL32.dll!LoadLibraryW 0000000076ba48cb 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3608] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExW 0000000076ba48fd 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3608] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000077889d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[3624] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 0000000076ba48b3 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[3624] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076ba48cb 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[3624] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076ba48fd 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3632] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 0000000076ba48b3 5 bytes JMP 00000001003027c0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3632] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076ba48cb 5 bytes JMP 00000001003028a0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3632] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076ba48fd 5 bytes JMP 0000000100302830 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3712] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077b36f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3712] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdad8ef0 5 bytes JMP 000007fffdab00b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3712] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefdadbfd0 5 bytes JMP 000007fffdab0038 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3712] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefe347490 5 bytes JMP 000007fffdab0138 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3712] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa20a38c 5 bytes JMP 000007fefdab02b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3712] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa224b60 5 bytes JMP 000007fefdab0238 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[3712] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa224ba0 5 bytes JMP 000007fefdab01b8 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3748] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 0000000076ba48b3 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3748] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076ba48cb 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3748] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076ba48fd 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe[3748] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000077889d0b 5 bytes JMP 0000000110002900 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3920] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 0000000076ba48b3 5 bytes JMP 00000001100027c0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3920] C:\windows\syswow64\kernel32.dll!LoadLibraryW 0000000076ba48cb 5 bytes JMP 00000001100028a0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[3920] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076ba48fd 5 bytes JMP 0000000110002830 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@001f5dad70a7 0x6D 0x24 0x8F 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@3c8bfec4d7db 0xFE 0x7D 0x9B 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@e8e5d6766e8a 0xC3 0x23 0x4A 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@34c3ac9e114e 0x2D 0x4B 0x92 0x8C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@9471ac51da23 0x3B 0xC4 0xF3 0xDA ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@bccfccf27970 0xD2 0x98 0xB0 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af38692@64b310831a8f 0x2D 0x38 0xD8 0xE7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@001f5dad70a7 0x6D 0x24 0x8F 0x0F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@3c8bfec4d7db 0xFE 0x7D 0x9B 0xAF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@e8e5d6766e8a 0xC3 0x23 0x4A 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@34c3ac9e114e 0x2D 0x4B 0x92 0x8C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@9471ac51da23 0x3B 0xC4 0xF3 0xDA ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@bccfccf27970 0xD2 0x98 0xB0 0xC6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af38692@64b310831a8f 0x2D 0x38 0xD8 0xE7 ... ---- EOF - GMER 2.1 ----