GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-22 09:14:26 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP3T1L0-6 WDC_WD10EADS-22M2B0 rev.01.00A01 931,51GB Running: kzf9ogq2.exe; Driver: C:\Users\ppkk\AppData\Local\Temp\fflcyaod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\SpeedFan\speedfan.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[2760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2768] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2768] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2784] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[2784] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[1080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[1080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[2028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3580] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075471465 2 bytes [47, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3580] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000754714bb 2 bytes [47, 75] .text ... * 2 ---- Processes - GMER 2.1 ---- Library C:\Users\ppkk\AppData\Local\Temp\sfareca00001.dll (*** suspicious ***) @ C:\Program Files (x86)\SpeedFan\speedfan.exe [2540](2014-06-04 0000000071250000 Library C:\Users\ppkk\AppData\Local\Temp\sfamcc00001.dll (*** suspicious ***) @ C:\Program Files (x86)\SpeedFan\speedfan.exe [2540](2014-02-11 08 0000000010000000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\BTHPORT Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\HidBth Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@COD Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Scans Before Out of Range 8 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SCO Max Channels 2 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Store Link Key COD Masks 0x00 0x00 0x1F 0x43 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicLinkName \??\USB#VID_0C10&PID_0000#2600B0720200#{0850302a-b344-4fda-9be9-90576b8d46f0} Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicName \??\USB#VID_0C10&PID_0000#2600B0720200#{a5dcbf10-6530-11d2-901f-00c04fb951ed} Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Write Scan Enable 3 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\BTHPORT (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\HidBth (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@COD Type 1 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Scans Before Out of Range 8 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SCO Max Channels 2 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Store Link Key COD Masks 0x00 0x00 0x1F 0x43 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicLinkName \??\USB#VID_0C10&PID_0000#2600B0720200#{0850302a-b344-4fda-9be9-90576b8d46f0} Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@SymbolicName \??\USB#VID_0C10&PID_0000#2600B0720200#{a5dcbf10-6530-11d2-901f-00c04fb951ed} Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings\0001@Write Scan Enable 3 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F23A3CB-16DC-1C77-4880-289282562262} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F23A3CB-16DC-1C77-4880-289282562262}@jadjnnpjplamdifmkbio 0x62 0x61 0x6F 0x6B ... ---- EOF - GMER 2.1 ----