GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-17 21:21:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 rev. 0,00MB Running: fkjewygr.exe; Driver: C:\Users\DOMOWY\AppData\Local\Temp\axdiikoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 712 fffff80003a050b8 12 bytes [80, 8C, 85, 05, A0, F8, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 727 fffff80003a050c7 8 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075111401 2 bytes JMP 7515b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075111419 2 bytes JMP 7515b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075111431 2 bytes JMP 751d8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007511144a 2 bytes CALL 751348ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751114dd 2 bytes JMP 751d87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751114f5 2 bytes JMP 751d8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007511150d 2 bytes JMP 751d8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075111525 2 bytes JMP 751d8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007511153d 2 bytes JMP 7514fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075111555 2 bytes JMP 751568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007511156d 2 bytes JMP 751d8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075111585 2 bytes JMP 751d8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007511159d 2 bytes JMP 751d865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751115b5 2 bytes JMP 7514fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751115cd 2 bytes JMP 7515b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751116b2 2 bytes JMP 751d8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751116bd 2 bytes JMP 751d85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075111401 2 bytes JMP 7515b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075111419 2 bytes JMP 7515b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075111431 2 bytes JMP 751d8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007511144a 2 bytes CALL 751348ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751114dd 2 bytes JMP 751d87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751114f5 2 bytes JMP 751d8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007511150d 2 bytes JMP 751d8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075111525 2 bytes JMP 751d8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007511153d 2 bytes JMP 7514fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075111555 2 bytes JMP 751568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007511156d 2 bytes JMP 751d8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075111585 2 bytes JMP 751d8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007511159d 2 bytes JMP 751d865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751115b5 2 bytes JMP 7514fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751115cd 2 bytes JMP 7515b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751116b2 2 bytes JMP 751d8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2528] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751116bd 2 bytes JMP 751d85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075111401 2 bytes JMP 7515b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075111419 2 bytes JMP 7515b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075111431 2 bytes JMP 751d8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007511144a 2 bytes CALL 751348ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751114dd 2 bytes JMP 751d87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751114f5 2 bytes JMP 751d8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007511150d 2 bytes JMP 751d8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075111525 2 bytes JMP 751d8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007511153d 2 bytes JMP 7514fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075111555 2 bytes JMP 751568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007511156d 2 bytes JMP 751d8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075111585 2 bytes JMP 751d8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007511159d 2 bytes JMP 751d865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751115b5 2 bytes JMP 7514fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751115cd 2 bytes JMP 7515b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751116b2 2 bytes JMP 751d8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751116bd 2 bytes JMP 751d85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000071e411a8 2 bytes [E4, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 0000000071e4127d 2 bytes CALL 751314b9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 395 0000000071e41310 2 bytes CALL 751314b9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000071e413a8 2 bytes [E4, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000071e41422 2 bytes [E4, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3692] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000071e41498 2 bytes [E4, 71] .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075111401 2 bytes JMP 7515b21b C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075111419 2 bytes JMP 7515b346 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075111431 2 bytes JMP 751d8ea9 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007511144a 2 bytes CALL 751348ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751114dd 2 bytes JMP 751d87a2 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751114f5 2 bytes JMP 751d8978 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007511150d 2 bytes JMP 751d8698 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075111525 2 bytes JMP 751d8a62 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007511153d 2 bytes JMP 7514fca8 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075111555 2 bytes JMP 751568ef C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007511156d 2 bytes JMP 751d8f61 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075111585 2 bytes JMP 751d8ac2 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007511159d 2 bytes JMP 751d865c C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751115b5 2 bytes JMP 7514fd41 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751115cd 2 bytes JMP 7515b2dc C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751116b2 2 bytes JMP 751d8e24 C:\Windows\syswow64\kernel32.dll .text D:\POCZTA\KomaMail\Koma_Mail.exe[3420] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751116bd 2 bytes JMP 751d85f1 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5000:1616] 000007fefb0a2bf8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{BECFBCBC-4F46-43D6-ADF2-00D7708BFEAD}\Connection@Name isatap.{CDEB7645-9454-4F62-8FD1-CCA2639CA311} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{3686DC88-BB9B-4F45-9435-E09CF98B3690}?\Device\{BECFBCBC-4F46-43D6-ADF2-00D7708BFEAD}?\Device\{6592AC87-AFCB-4671-997F-6A855EE45F9B}?\Device\{57A46920-0B01-4387-B1A1-26F81A6E4771}?\Device\{FFA5BD9F-263B-4A87-A2D7-B8925F2B8B22}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{3686DC88-BB9B-4F45-9435-E09CF98B3690}"?"{BECFBCBC-4F46-43D6-ADF2-00D7708BFEAD}"?"{6592AC87-AFCB-4671-997F-6A855EE45F9B}"?"{57A46920-0B01-4387-B1A1-26F81A6E4771}"?"{FFA5BD9F-263B-4A87-A2D7-B8925F2B8B22}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{3686DC88-BB9B-4F45-9435-E09CF98B3690}?\Device\TCPIP6TUNNEL_{BECFBCBC-4F46-43D6-ADF2-00D7708BFEAD}?\Device\TCPIP6TUNNEL_{6592AC87-AFCB-4671-997F-6A855EE45F9B}?\Device\TCPIP6TUNNEL_{57A46920-0B01-4387-B1A1-26F81A6E4771}?\Device\TCPIP6TUNNEL_{FFA5BD9F-263B-4A87-A2D7-B8925F2B8B22}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a0f7fe Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a0f7fe@6c5f1c06c2a6 0xF7 0xA4 0x5E 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a0f7fe@d487d807ed7a 0x58 0xE4 0x82 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{BECFBCBC-4F46-43D6-ADF2-00D7708BFEAD}@InterfaceName isatap.{CDEB7645-9454-4F62-8FD1-CCA2639CA311} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{BECFBCBC-4F46-43D6-ADF2-00D7708BFEAD}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a0f7fe (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a0f7fe@6c5f1c06c2a6 0xF7 0xA4 0x5E 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a0f7fe@d487d807ed7a 0x58 0xE4 0x82 0xD0 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_80070490_50f596fbf0f04b87cb76afeadee3ce704bd24dd8_0180e05a 0 bytes File C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_80070490_50f596fbf0f04b87cb76afeadee3ce704bd24dd8_0180e05a\Report.wer 1782 bytes ---- EOF - GMER 2.1 ----