GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-15 00:06:21 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: gmer.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pwriifow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800037fd000 16 bytes [8B, E3, 41, 5F, 41, 5E, 41, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 545 fffff800037fd011 35 bytes {LEA ECX, [RSP+0x70]; CALL 0x3d64f} ---- User code sections - GMER 2.1 ---- .text C:\Users\Mateusz\AppData\Local\Akamai\netsession_win.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Users\Mateusz\AppData\Local\Akamai\netsession_win.exe[2672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Users\Mateusz\AppData\Local\Akamai\netsession_win.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Users\Mateusz\AppData\Local\Akamai\netsession_win.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Users\Mateusz\AppData\Local\Genesis_07131148\Genesis_07131148.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Users\Mateusz\AppData\Local\Genesis_07131148\Genesis_07131148.exe[2740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Windows\SysWOW64\RunDll32.exe[5160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Windows\SysWOW64\RunDll32.exe[5160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776c1465 2 bytes [6C, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776c14bb 2 bytes [6C, 77] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread [2964:356] 00000000741d784b Thread [2964:2524] 0000000074c127e1 Thread [2964:2460] 0000000077742e65 Thread [2964:2728] 0000000077743e85 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5848:5936] 000007fefb8a2bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5848:1736] 000007feecfd4830 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5848:5128] 000007fef9435124 ---- Processes - GMER 2.1 ---- Process C:\Users\Mateusz\AppData\Local\Genesis_07131148\Genesis_07131148.exe (*** suspicious ***) @ C:\Users\Mateusz\AppData\Local\Genesis_07131148\Genesis_07131148.exe [2740] (tell/croquemitaine)(2014-07-13 11:48:16) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb115d31b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1d33403 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1d68de6 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1d68de6@002668454722 0x15 0xD0 0x67 0xD5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1d68de6@bc773732a1a3 0xC0 0xBC 0x88 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1d68de6@0024ef7e96f3 0x33 0x7B 0xF7 0x42 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1d68de6@58c38b7c6008 0xD1 0x2C 0xE6 0x68 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb1d68de6@9c3aafc98665 0x79 0x2F 0xAB 0x98 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb115d31b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1d33403 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1d68de6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1d68de6@002668454722 0x15 0xD0 0x67 0xD5 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1d68de6@bc773732a1a3 0xC0 0xBC 0x88 0x71 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1d68de6@0024ef7e96f3 0x33 0x7B 0xF7 0x42 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1d68de6@58c38b7c6008 0xD1 0x2C 0xE6 0x68 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bb1d68de6@9c3aafc98665 0x79 0x2F 0xAB 0x98 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----