GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-14 14:57:39 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 WDC_WD5000BPVT-22HXZT3 rev.01.01A01 465,76GB Running: y31x40nq.exe; Driver: C:\Users\SA-LON\AppData\Local\Temp\pgloypog.sys ---- User code sections - GMER 2.1 ---- .text C:\Dolby PCEE4\pcee4.exe[4240] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Dolby PCEE4\pcee4.exe[4240] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Dolby PCEE4\pcee4.exe[4240] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe[3452] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe[3452] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe[3452] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[4656] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[4656] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[4656] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[4540] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007ff055f177a 4 bytes [5F, 05, FF, 07] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[4540] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007ff055f1782 4 bytes [5F, 05, FF, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[2908] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[2908] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[2908] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3704] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3704] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[3704] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1792] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007ff055f177a 4 bytes [5F, 05, FF, 07] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1792] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007ff055f1782 4 bytes [5F, 05, FF, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3936] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3936] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3936] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[532] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[532] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[532] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4168] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4168] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4168] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4104] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4104] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4104] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[2320] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007ff055f177a 4 bytes [5F, 05, FF, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[2320] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007ff055f1782 4 bytes [5F, 05, FF, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2556] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fefbd61b32 4 bytes [D6, FB, FE, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2556] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fefbd61b3a 4 bytes [D6, FB, FE, 07] .text C:\Windows\Explorer.EXE[3156] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Windows\Explorer.EXE[3156] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Windows\Explorer.EXE[3156] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\dwm.exe[980] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\dwm.exe[980] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\dwm.exe[980] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Windows\System32\hkcmd.exe[3788] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Windows\System32\hkcmd.exe[3788] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Windows\System32\hkcmd.exe[3788] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\igfxext.exe[3508] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\igfxext.exe[3508] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\igfxext.exe[3508] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007ff055f177a 4 bytes [5F, 05, FF, 07] .text C:\Windows\System32\igfxpers.exe[3620] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007ff055f1782 4 bytes [5F, 05, FF, 07] .text C:\Windows\System32\igfxtray.exe[3964] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Windows\System32\igfxtray.exe[3964] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Windows\System32\igfxtray.exe[3964] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\nvvsvc.exe[400] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\nvvsvc.exe[400] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\nvvsvc.exe[400] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\nvvsvc.exe[400] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007ff055f177a 4 bytes [5F, 05, FF, 07] .text C:\Windows\system32\nvvsvc.exe[400] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007ff055f1782 4 bytes [5F, 05, FF, 07] .text C:\Windows\System32\svchost.exe[2092] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fefbd61b32 4 bytes [D6, FB, FE, 07] .text C:\Windows\System32\svchost.exe[2092] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fefbd61b3a 4 bytes [D6, FB, FE, 07] .text C:\Windows\System32\svchost.exe[960] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fefbd61b32 4 bytes [D6, FB, FE, 07] .text C:\Windows\System32\svchost.exe[960] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fefbd61b3a 4 bytes [D6, FB, FE, 07] .text C:\Windows\system32\taskhostex.exe[2652] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\taskhostex.exe[2652] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\taskhostex.exe[2652] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\wbem\unsecapp.exe[3424] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\wbem\unsecapp.exe[4636] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ff00bd1532 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\wbem\unsecapp.exe[4636] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ff00bd153a 4 bytes [BD, 00, FF, 07] .text C:\Windows\system32\wbem\unsecapp.exe[4636] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ff00bd165a 4 bytes [BD, 00, FF, 07] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!WdsSetupLogMessageW] [7fee4a73540] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!WdsCreateBlackboard] [7fee4a6eb50] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!WdsDestroyBlackboard] [7fee4a6ebf0] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!WdsGetBlackboardValue] [7fee4a6ef00] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!WdsFreeData] [7fee4a62490] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!ConstructPartialMsgVW] [7fee4a73e70] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!ConstructPartialMsgVA] [7fee4a73cf0] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!WdsSetupLogMessageA] [7fee4a738b0] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!WdsTerminate] [7fee4a5f6f0] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!WdsInitialize] [7fee4a5f540] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[WDSCORE.dll!CurrentIP] [7fee4a70d20] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\SetupPlatform.dll[ReAgent.dll!WinReGetConfig] [7fee49d35c0] C:\$Windows.~BT\Sources\ReAgent.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[WDSCORE.dll!ConstructPartialMsgVW] [7fee4a73e70] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[WDSCORE.dll!CurrentIP] [7fee4a70d20] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[WDSCORE.dll!WdsSetupLogMessageW] [7fee4a73540] C:\$Windows.~BT\Sources\WDSCORE.dll IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[DismApi.DLL!DismAddDriver] [7fee48917d4] C:\$Windows.~BT\Sources\DismApi.DLL IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[DismApi.DLL!DismUnmountImage] [7fee489099c] C:\$Windows.~BT\Sources\DismApi.DLL IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[DismApi.DLL!DismMountImage] [7fee48908b0] C:\$Windows.~BT\Sources\DismApi.DLL IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[DismApi.DLL!DismDelete] [7fee4890df4] C:\$Windows.~BT\Sources\DismApi.DLL IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[DismApi.DLL!DismGetDrivers] [7fee4891920] C:\$Windows.~BT\Sources\DismApi.DLL IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[DismApi.DLL!DismCloseSession] [7fee4890b14] C:\$Windows.~BT\Sources\DismApi.DLL IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[DismApi.DLL!DismOpenSession] [7fee4890a54] C:\$Windows.~BT\Sources\DismApi.DLL IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[DismApi.DLL!DismShutdown] [7fee48907d8] C:\$Windows.~BT\Sources\DismApi.DLL IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[DismApi.DLL!DismInitialize] [7fee48905bc] C:\$Windows.~BT\Sources\DismApi.DLL IAT C:\$Windows.~BT\Sources\SetupHost.Exe[2544] @ C:\$Windows.~BT\Sources\ReAgent.dll[DismApi.DLL!DismCommitImage] [7fee4890c04] C:\$Windows.~BT\Sources\DismApi.DLL ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [612:636] fffff9600097c5e8 ---- Processes - GMER 2.1 ---- Library C:\$Windows.~BT\Sources\SetupPlatform.dll (*** suspicious ***) @ C:\$Windows.~BT\Sources\SetupHost.Exe [2544] (Setup Platform Core/Microsoft Corporation)(2014-11-21 21:48:45) 000007fee4bb0000 Library C:\$Windows.~BT\Sources\unbcl.dll (*** suspicious ***) @ C:\$Windows.~BT\Sources\SetupHost.Exe [2544] (Unmanaged BCL/Microsoft Corporation)(2014-11-21 21:48:46 000007fee4aa0000 Library C:\$Windows.~BT\Sources\WDSCORE.dll (*** suspicious ***) @ C:\$Windows.~BT\Sources\SetupHost.Exe [2544] (Panther Engine Module/Microsoft Corporation)(2014-11 000007fee4a50000 Library C:\$Windows.~BT\Sources\ReAgent.dll (*** suspicious ***) @ C:\$Windows.~BT\Sources\SetupHost.Exe [2544] (Microsoft Windows Recovery Agent DLL/Microsoft Corporation)(2014-11-21 21:48:45) 000007fee4960000 Library C:\$Windows.~BT\Sources\WDSUTIL.dll (*** suspicious ***) @ C:\$Windows.~BT\Sources\SetupHost.Exe [2544] (OS Deployment Utilities/Microsoft Corporation)(2014- 000007fee4920000 Library C:\$Windows.~BT\Sources\DismApi.DLL (*** suspicious ***) @ C:\$Windows.~BT\Sources\SetupHost.Exe [2544] (DISM API Framework/Microsoft Corporation)(2014-11-21 000007fee4870000 Library C:\$Windows.~BT\Sources\api-ms-win-downlevel-kernel32-l1-1-0.dll (*** suspicious ***) @ C:\$Windows.~BT\Sources\SetupHost.Exe [2544] (ApiSet Stub DLL/Microsoft Corporation)(2014-11-21 21:48:45) 000007fee4860000 Library C:\$Windows.~BT\Sources\api-ms-win-downlevel-advapi32-l1-1-1.dll (*** suspicious ***) @ C:\$Windows.~BT\Sources\SetupHost.Exe [2544] (ApiSet Stub DLL/Microsoft Corporation)(2014-11-21 21:48:45) 000007fee4850000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----