GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-26 16:44:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-00RKKA0 rev.80.00A80 931,51GB Running: 8f2u218c.exe; Driver: C:\Users\User\AppData\Local\Temp\kxldapob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e01465 2 bytes [E0, 76] .text C:\Windows\system32\PnkBstrA.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e014bb 2 bytes [E0, 76] .text ... * 2 .text C:\Users\User\AppData\Local\ATI Technologies\atiedxx.exe[2516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e01465 2 bytes [E0, 76] .text C:\Users\User\AppData\Local\ATI Technologies\atiedxx.exe[2516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e014bb 2 bytes [E0, 76] .text ... * 2 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\kernel32.dll!CreateProcessA 00000000753b1072 5 bytes JMP 00000001082c2d9e .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\kernel32.dll!CreateThread 00000000753b34d5 5 bytes JMP 00000001082c2742 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!GetDC 00000000767472c4 5 bytes JMP 00000001082c208b .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!ReleaseDC 0000000076747446 5 bytes JMP 00000001082c211f .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076748a29 5 bytes JMP 00000001082c2a73 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076748e4e 5 bytes JMP 00000001082c2931 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!IsWindowVisible 000000007675112d 7 bytes JMP 00000001082c2b2c .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!GetCursorPos 0000000076751218 5 bytes JMP 00000001082c24d6 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000076751361 5 bytes JMP 00000001082c1ff7 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!InvalidateRect 0000000076751381 5 bytes JMP 00000001082c2302 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!RedrawWindow 000000007675140b 5 bytes JMP 00000001082c2609 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!SetFocus 0000000076752175 5 bytes JMP 00000001082c226a .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!RegisterClassA 000000007675434b 5 bytes JMP 00000001082c26aa .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!InvalidateRgn 0000000076756604 5 bytes JMP 00000001082c23a0 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!TrackPopupMenu 000000007676c288 5 bytes JMP 00000001082c2cf4 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007676cfca 5 bytes JMP 00000001082c27e9 .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!WindowFromPoint 000000007676ed12 5 bytes JMP 00000001082c256e .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!SetCapture 000000007676ed56 5 bytes JMP 00000001082c243e .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007676f170 5 bytes JMP 00000001082c29db .text C:\Windows\SysWOW64\ntdll.dll[4212] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000767710dc 5 bytes JMP 00000001082c288d ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\ntdll.dll [4212:4696] 00000000005d2692 Thread C:\Windows\SysWOW64\ntdll.dll [4212:2676] 0000000073ab62ee Thread C:\Windows\SysWOW64\ntdll.dll [4212:1984] 000000006a59e718 Thread C:\Windows\SysWOW64\ntdll.dll [4212:2892] 0000000071b032fb Thread C:\Windows\SysWOW64\ntdll.dll [4212:4364] 00000000082c2e51 Thread C:\Windows\SysWOW64\ntdll.dll [4212:336] 00000000004da60f Thread C:\Windows\SysWOW64\ntdll.dll [4212:3656] 0000000072f127c1 Thread C:\Windows\SysWOW64\ntdll.dll [4212:4008] 000000006e07c41d Thread C:\Windows\SysWOW64\ntdll.dll [4212:4604] 000000006e07c41d Thread C:\Windows\SysWOW64\ntdll.dll [4212:4544] 000000006e07c41d Thread C:\Windows\SysWOW64\ntdll.dll [4212:1104] 000000006e07c41d ---- Processes - GMER 2.1 ---- Process C:\Users\User\AppData\Local\ATI Technologies\atiedxx.exe (*** suspicious ***) @ C:\Users\User\AppData\Local\ATI Technologies\atiedxx.exe [2516] (AMD External Events Driver Modul/ATI Technologie)(2014-04-19 20:45:46) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{006D4D4C-9D12-4143-BCB5-2A38861E33D9}@LeaseObtainedTime 1398522668 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{006D4D4C-9D12-4143-BCB5-2A38861E33D9}@T1 1398522795 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{006D4D4C-9D12-4143-BCB5-2A38861E33D9}@T2 1398522891 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{006D4D4C-9D12-4143-BCB5-2A38861E33D9}@LeaseTerminatesTime 1398522923 ---- EOF - GMER 2.1 ----