GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-14 21:03:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 596,17GB Running: 5qsqk0fz.exe; Driver: C:\Users\Kuba\AppData\Local\Temp\aftcaaog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003daa000 45 bytes [0D, 00, 00, 00, 01, 01, E8, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80003daa02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\FindRight\updateFindRight.exe[1444] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text C:\Program Files (x86)\FindRight\updateFindRight.exe[1444] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 .text C:\Program Files (x86)\FindRight\bin\utilFindRight.exe[1776] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text C:\Program Files (x86)\FindRight\bin\utilFindRight.exe[1776] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 ? C:\windows\system32\mssprxy.dll [4080] entry point in ".rdata" section 00000000693b71e6 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4608] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4608] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 .text C:\windows\SysWOW64\RunDll32.exe[9632] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text C:\windows\SysWOW64\RunDll32.exe[9632] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 .text c:\PROGRA~2\mcafee\SITEAD~1\saui.exe[10244] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text c:\PROGRA~2\mcafee\SITEAD~1\saui.exe[10244] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5328] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5328] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\mfevtps.exe[1888] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13fc6bba0] C:\windows\system32\mfevtps.exe ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de551715 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de551715@6c23b943ba17 0x6E 0x4D 0x80 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de551715@fca13eb6c1f6 0x04 0x89 0xA0 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de551715@001b59489784 0xBF 0xB3 0xBB 0xC7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e839df1ff48d Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de551715 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de551715@6c23b943ba17 0x6E 0x4D 0x80 0x06 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de551715@fca13eb6c1f6 0x04 0x89 0xA0 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de551715@001b59489784 0xBF 0xB3 0xBB 0xC7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e839df1ff48d (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----