GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-04 14:13:08 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1CH162 rev.CC46 931,51GB Running: f0o8ssyv.exe; Driver: C:\Users\Aniut\AppData\Local\Temp\pwddakod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\vmnat.exe[3068] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 00000000716113c6 2 bytes [61, 71] .text C:\Windows\SysWOW64\vmnat.exe[3068] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 00000000716113f6 2 bytes [61, 71] .text C:\Windows\SysWOW64\vmnat.exe[3068] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 00000000716114ad 2 bytes [61, 71] .text C:\Windows\SysWOW64\vmnat.exe[3068] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 00000000716114db 2 bytes [61, 71] .text ... * 2 .text C:\Windows\SysWOW64\vmnat.exe[3068] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 0000000071611577 2 bytes [61, 71] .text C:\Windows\SysWOW64\vmnat.exe[3068] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 00000000716115d7 2 bytes [61, 71] .text C:\Windows\SysWOW64\vmnat.exe[3068] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 0000000071611794 2 bytes [61, 71] .text C:\Windows\SysWOW64\vmnat.exe[3068] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 00000000716118c1 2 bytes [61, 71] .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b51465 2 bytes [B5, 74] .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b514bb 2 bytes [B5, 74] .text ... * 2 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[3664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b51465 2 bytes [B5, 74] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[3664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b514bb 2 bytes [B5, 74] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [5804] entry point in ".rdata" section 0000000073ca71e6 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[5896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b51465 2 bytes [B5, 74] .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[5896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b514bb 2 bytes [B5, 74] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5016:4084] 000007fefa792bf8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bdc003491 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bdc003491@00023c24ee4f 0x34 0x60 0x71 0x63 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bdc003491 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bdc003491@00023c24ee4f 0x34 0x60 0x71 0x63 ... ---- EOF - GMER 2.1 ----