GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-09 00:06:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PC4O 465,76GB Running: 1vhc813w.exe; Driver: C:\Users\M\AppData\Local\Temp\pxldypoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031f0000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031f002f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2620] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000758a1465 2 bytes [8A, 75] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2620] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758a14bb 2 bytes [8A, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2888] C:\windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000758a1465 2 bytes [8A, 75] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2888] C:\windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000758a14bb 2 bytes [8A, 75] .text ... * 2 .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3704] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000758a1465 2 bytes [8A, 75] .text C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe[3704] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758a14bb 2 bytes [8A, 75] .text ... * 2 .text C:\Users\M\AppData\Roaming\Smilebox\SmileboxTray.exe[4788] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000758a1465 2 bytes [8A, 75] .text C:\Users\M\AppData\Roaming\Smilebox\SmileboxTray.exe[4788] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758a14bb 2 bytes [8A, 75] .text ... * 2 .text C:\Users\M\AppData\Roaming\pwo6\svchost.exe[4976] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000758a1465 2 bytes [8A, 75] .text C:\Users\M\AppData\Roaming\pwo6\svchost.exe[4976] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758a14bb 2 bytes [8A, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6112] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000758a1465 2 bytes [8A, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6112] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758a14bb 2 bytes [8A, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2692] 0000000077173e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2708] 0000000077172e65 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2732] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2736] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2740] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2744] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2748] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2752] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2756] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2760] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2764] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:2768] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3024] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3028] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3032] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3276] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3280] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3284] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3288] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3292] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3296] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3300] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3412] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3416] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3432] 0000000077173e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3436] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3444] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3448] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3456] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3460] 00000000731529e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2672:3484] 00000000731529e1 Thread C:\windows\System32\svchost.exe [5332:6064] 000007feec319688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4256:5136] 000007fefa8f2a7c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82ca02ec Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82ca02ec@78471d52f22f 0x82 0x6D 0x6B 0x48 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82ca02ec@00164157a97e 0x37 0x86 0x84 0xEB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82ca02ec@bccfcc937e66 0x5F 0x52 0xB8 0x9B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82ca02ec (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82ca02ec@78471d52f22f 0x82 0x6D 0x6B 0x48 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82ca02ec@00164157a97e 0x37 0x86 0x84 0xEB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82ca02ec@bccfcc937e66 0x5F 0x52 0xB8 0x9B ... ---- EOF - GMER 2.1 ----