GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-12 22:17:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Intel___ rev.1.0. 119,25GB Running: stwuh2x1.exe; Driver: C:\Users\SONY\AppData\Local\Temp\kxliipob.sys ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [1184:1228] 000007fefac5332c Thread C:\Windows\system32\svchost.exe [1184:1232] 000007fefac510b0 Thread C:\Windows\System32\svchost.exe [1352:5192] 000007feebc36b8c Thread C:\Windows\System32\svchost.exe [1352:1192] 000007feebc31d88 Thread C:\Windows\System32\svchost.exe [1384:1452] 000007fefa66f304 Thread C:\Windows\System32\svchost.exe [1384:1496] 000007fefa5e6204 Thread C:\Windows\System32\svchost.exe [1384:1564] 000007fefa27d8f8 Thread C:\Windows\System32\svchost.exe [1384:1576] 000007fefa275620 Thread C:\Windows\System32\svchost.exe [1384:1580] 000007fefa276e74 Thread C:\Windows\System32\svchost.exe [1384:1616] 000007fefa17ffc0 Thread C:\Windows\System32\svchost.exe [1384:1632] 000007fef9eb331c Thread C:\Windows\System32\svchost.exe [1384:1644] 000007fef9e9a2b0 Thread C:\Windows\System32\svchost.exe [1384:1856] 000007fef96359a0 Thread C:\Windows\System32\svchost.exe [1384:4572] 000007fefb961a70 Thread C:\Windows\System32\svchost.exe [1384:4884] 000007fef61689a8 Thread C:\Windows\System32\svchost.exe [1384:6888] 000007fefc6fc608 Thread C:\Windows\System32\svchost.exe [1384:6892] 000007fefc6fc608 Thread C:\Windows\System32\svchost.exe [1384:6916] 000007fefc6fc608 Thread C:\Windows\System32\svchost.exe [1384:6920] 000007fefc6fc608 Thread C:\Windows\System32\svchost.exe [1384:6924] 000007fefc6fc608 Thread C:\Windows\system32\svchost.exe [1412:5468] 000007fef3d20ea8 Thread C:\Windows\system32\svchost.exe [1412:5440] 000007fef3d19db0 Thread C:\Windows\system32\svchost.exe [1412:6232] 000007fef3d1aa10 Thread C:\Windows\system32\svchost.exe [1412:6240] 000007fef3d21c94 Thread C:\Windows\system32\svchost.exe [1412:6700] 000007fee7ab5c24 Thread C:\Windows\system32\svchost.exe [1412:6812] 000007fee7abeff0 Thread C:\Windows\system32\svchost.exe [1412:6832] 000007fee9cf4f84 Thread C:\Windows\system32\svchost.exe [1412:7164] 000007fee65a6ed4 Thread C:\Windows\system32\svchost.exe [1412:2844] 000007fee65a6b8c Thread C:\Windows\system32\svchost.exe [1412:2508] 000007fee9d0d3c8 Thread C:\Windows\system32\svchost.exe [1412:8028] 000007fee9d0d3c8 Thread C:\Windows\system32\svchost.exe [1412:7976] 000007fee9d0d3c8 Thread C:\Windows\system32\svchost.exe [1412:7480] 000007fee9d0d3c8 Thread C:\Windows\system32\svchost.exe [1444:2020] 000007fef9221dd0 Thread C:\Windows\system32\svchost.exe [1444:2032] 000007fef8bf1a50 Thread C:\Windows\system32\svchost.exe [1444:2036] 000007fefaade7e0 Thread C:\Windows\system32\svchost.exe [1444:2880] 000007fefb961a70 Thread C:\Windows\system32\svchost.exe [1444:4244] 000007fefb961a70 Thread C:\Windows\system32\svchost.exe [1444:4648] 000007fef2a584d8 Thread C:\Windows\system32\svchost.exe [1444:4788] 000007fef2a123a8 Thread C:\Windows\system32\svchost.exe [1444:4840] 000007fef2a90d00 Thread C:\Windows\system32\svchost.exe [1444:4844] 000007fef27f9498 Thread C:\Windows\system32\svchost.exe [1444:5196] 000007fef36217f8 Thread C:\Windows\system32\svchost.exe [1444:3052] 000007fef36217f8 Thread C:\Windows\system32\svchost.exe [1444:5856] 000007fef3b5ab8c Thread C:\Windows\system32\svchost.exe [1444:6128] 000007fee6c5506c Thread C:\Windows\system32\svchost.exe [1444:6308] 000007fee6cf1c20 Thread C:\Windows\system32\svchost.exe [1444:5736] 000007fee6cf1c20 Thread C:\Windows\system32\svchost.exe [1444:7188] 000007fef36217f8 Thread C:\Windows\system32\svchost.exe [1444:1540] 000007fef36217f8 Thread C:\Windows\system32\svchost.exe [1444:1280] 000007fef36217f8 Thread C:\Windows\system32\svchost.exe [1444:4168] 000007fef3124164 Thread C:\Windows\system32\svchost.exe [1444:8320] 000007fef36217f8 Thread C:\Windows\system32\svchost.exe [1444:8184] 000007fef36217f8 Thread C:\Windows\system32\svchost.exe [1444:8356] 000007fefa351ab0 Thread C:\Windows\system32\svchost.exe [1724:1772] 000007fef9b7341c Thread C:\Windows\system32\svchost.exe [1724:1780] 000007fef9b73a2c Thread C:\Windows\system32\svchost.exe [1724:1784] 000007fef9b73768 Thread C:\Windows\system32\svchost.exe [1724:1788] 000007fef9b75c20 Thread C:\Windows\system32\svchost.exe [1724:1800] 000007fef9b0bd70 Thread C:\Windows\system32\svchost.exe [1724:3840] 000007fef46083d8 Thread C:\Windows\system32\svchost.exe [1724:3844] 000007fef46083d8 Thread C:\Windows\system32\svchost.exe [1724:3848] 000007fef46083d8 Thread C:\Windows\system32\svchost.exe [1724:3852] 000007fef46083d8 Thread C:\Windows\system32\svchost.exe [1724:4724] 000007fef2973f1c Thread C:\Windows\system32\svchost.exe [1724:4756] 000007fef2931a38 Thread C:\Windows\system32\svchost.exe [1724:4768] 000007fef2895388 Thread C:\Windows\system32\svchost.exe [1724:4776] 000007fef2877738 Thread C:\Windows\system32\svchost.exe [1724:4784] 000007fef2821f90 Thread C:\Windows\system32\svchost.exe [1724:6296] 000007fef29322b8 Thread C:\Windows\system32\svchost.exe [1724:7668] 000007fef97f5124 Thread C:\Windows\system32\svchost.exe [1724:6196] 000007fef4dd5170 Thread C:\Windows\system32\svchost.exe [1724:5636] 000007fef9b73900 Thread C:\Windows\system32\svchost.exe [1824:2088] 000007fefb961a70 Thread C:\Windows\system32\svchost.exe [1824:2176] 000007fefb961a70 Thread C:\Windows\system32\svchost.exe [1824:2188] 000007fefb961a70 Thread C:\Windows\system32\svchost.exe [1824:2216] 000007fef8152c70 Thread C:\Windows\system32\svchost.exe [1824:2228] 000007fef815fb40 Thread C:\Windows\system32\svchost.exe [1824:2244] 000007fef8171d20 Thread C:\Windows\system32\svchost.exe [1824:2248] 000007fef815f6f0 Thread C:\Windows\system32\svchost.exe [1824:2856] 000007fef64335c0 Thread C:\Windows\system32\svchost.exe [1824:5400] 000007fefaade7e0 Thread C:\Windows\system32\svchost.exe [1824:6080] 000007fef6435600 Thread C:\Windows\system32\svchost.exe [1824:6220] 000007fef2242940 Thread C:\Windows\system32\svchost.exe [1824:6260] 000007fef1512888 Thread C:\Windows\system32\WLANExt.exe [1940:1976] 00000001800ea1c0 Thread C:\Windows\system32\WLANExt.exe [1940:1980] 000000018008dc50 Thread C:\Windows\system32\WLANExt.exe [1940:1984] 00000001800ea1c0 Thread C:\Windows\system32\WLANExt.exe [1940:4584] 000007fef9072f9c Thread C:\Windows\system32\WLANExt.exe [1940:4792] 000007fefaade7e0 Thread C:\Windows\system32\WLANExt.exe [1940:5080] 0000000000db8bc8 Thread C:\Windows\system32\WLANExt.exe [1940:5084] 0000000000db8be4 Thread C:\Windows\system32\WLANExt.exe [1940:5088] 0000000000db8bac Thread C:\Windows\system32\WLANExt.exe [1940:5092] 000007fef9072f9c Thread C:\Windows\System32\spoolsv.exe [1408:3636] 000007fefaade7e0 Thread C:\Windows\System32\spoolsv.exe [1408:3920] 000007fef42a10c8 Thread C:\Windows\System32\spoolsv.exe [1408:3968] 000007fef41f6144 Thread C:\Windows\System32\spoolsv.exe [1408:3972] 000007fef63f5fd0 Thread C:\Windows\System32\spoolsv.exe [1408:3988] 000007fef3f23438 Thread C:\Windows\System32\spoolsv.exe [1408:3996] 000007fef63f63ec Thread C:\Windows\System32\spoolsv.exe [1408:4048] 000007fef4335e5c Thread C:\Windows\System32\spoolsv.exe [1408:4052] 000007fef44e5060 Thread C:\Windows\System32\svchost.exe [2736:2980] 000007fef65e0360 Thread C:\Windows\System32\svchost.exe [2736:2992] 000007fef65be460 Thread C:\Windows\System32\svchost.exe [2736:3008] 000007fef65be450 Thread C:\Windows\System32\svchost.exe [2736:3012] 000007fef6585570 Thread C:\Windows\System32\svchost.exe [2736:3016] 000007fef65ba130 Thread C:\Windows\System32\svchost.exe [2736:3020] 000007fef6585560 Thread C:\Windows\System32\svchost.exe [2736:3024] 000007fef66082a0 Thread C:\Windows\System32\svchost.exe [2736:2304] 000007fefaade7e0 Thread C:\Windows\system32\svchost.exe [2792:7660] 000007fee7568470 Thread C:\Windows\system32\svchost.exe [2792:7664] 000007fee7572418 Thread C:\Windows\system32\svchost.exe [2792:7968] 000007fef346f130 Thread C:\Windows\system32\svchost.exe [2792:8024] 000007fef3464734 Thread C:\Windows\system32\svchost.exe [2792:6640] 000007fef3464734 Thread C:\Windows\system32\taskhost.exe [3096:3328] 000007fef5f82740 Thread C:\Windows\system32\taskhost.exe [3096:3540] 000007fef8231010 Thread C:\Windows\system32\taskhost.exe [3096:3664] 000007fef5fa1f38 Thread C:\Windows\system32\taskhost.exe [3096:6880] 000007fef4dd5170 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [3520:3660] 0000000075e57587 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [3520:3708] 0000000077741697 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [3520:3460] 0000000077747ad8 Thread C:\Windows\Explorer.EXE [3684:7052] 000007fee7852118 Thread C:\Windows\Explorer.EXE [3684:6896] 000007fef9072f9c Thread C:\Windows\Explorer.EXE [3684:6852] 000007fef2943824 Thread C:\Windows\Explorer.EXE [3684:7232] 000007fefaade7e0 Thread C:\Windows\SysWOW64\svchost.exe [4132:4156] 0000000075e57587 Thread C:\Windows\SysWOW64\svchost.exe [4132:4172] 0000000071530a20 Thread C:\Windows\SysWOW64\svchost.exe [4132:4176] 0000000071531420 Thread C:\Windows\SysWOW64\svchost.exe [4132:4188] 0000000077741697 Thread C:\Windows\SysWOW64\svchost.exe [4132:6448] 0000000077747ad8 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:4872] 0000000075e57587 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:4876] 0000000077741697 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:4880] 000000007206345e Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:4888] 0000000070f7785a Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:4900] 000000007206345e Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:4904] 0000000070cbff83 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:4956] 0000000070cbff83 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:4960] 0000000070cb6447 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:4964] 000000007206345e Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:5816] 0000000070f2247a Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:5288] 000000007206345e Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:2536] 000000007206345e Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [4624:7716] 0000000077747ad8 Thread C:\Windows\SysWOW64\DllHost.exe [4760:4808] 0000000077741697 Thread C:\Windows\SysWOW64\DllHost.exe [4760:4828] 000000007565d834 Thread C:\Windows\SysWOW64\DllHost.exe [4760:4936] 0000000070ba2550 Thread C:\Windows\SysWOW64\DllHost.exe [4760:8048] 0000000077747ad8 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [5284:5788] 0000000075e57587 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [5284:6036] 0000000077741697 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [5284:5124] 0000000067dd4cab Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [5284:5852] 0000000067de6471 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [5284:7748] 0000000077747ad8 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [5236:5456] 000007fef060fe98 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [5236:5460] 000007fef07500bc Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [5236:6252] 000007fef07500bc Thread C:\Windows\system32\svchost.exe [2816:6256] 000007fef9072f9c Thread C:\Windows\system32\svchost.exe [6540:6748] 000007fefaade7e0 Thread C:\Windows\System32\svchost.exe [6836:6956] 000007fefaade7e0 Thread C:\Windows\system32\wbem\wmiprvse.exe [7104:5540] 000007fefaade7e0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6684:7764] 000007fefaf22be0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6684:7772] 000007fee47f8a28 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6684:7784] 000007fefaade7e0 Thread C:\Windows\system32\taskhost.exe [8708:5324] 000007fef14cee1c Thread C:\Windows\system32\taskhost.exe [8708:1692] 000007fefaade7e0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313db7b38 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38d51ac0 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38d51ac0@b86ce85c2102 0x99 0xC9 0x75 0x56 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313db7b38 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38d51ac0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38d51ac0@b86ce85c2102 0x99 0xC9 0x75 0x56 ... ---- EOF - GMER 2.2 ----