GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-11 21:54:01 Windows 6.3.9600 x64 \Device\Harddisk1\DR1 -> \Device\0000002c PLEXTOR_PX-128M5Pro rev.1.05 119,24GB Running: gmer.exe; Driver: C:\Users\Daniel\AppData\Local\Temp\uxdyrpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\ntoskrnl.exe!NtCallbackReturn + 960 fffff801a73c9d00 60 bytes [C0, 52, AC, FF, 02, AD, 4E, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[1168] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 714 00007ffe6d5d154a 4 bytes [5D, 6D, FE, 7F] .text C:\Windows\Explorer.EXE[1168] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 722 00007ffe6d5d1552 4 bytes [5D, 6D, FE, 7F] .text C:\Windows\Explorer.EXE[1168] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 98 00007ffe6d5d162a 4 bytes [5D, 6D, FE, 7F] .text C:\Windows\Explorer.EXE[1168] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 122 00007ffe6d5d1642 4 bytes [5D, 6D, FE, 7F] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [444:452] fffff96000808b90 ---- Processes - GMER 2.1 ---- Process C:\Users\Daniel\AppData\Local\Temp\Temp3_gmer.zip\gmer.exe (*** suspicious ***) @ C:\Users\Daniel\AppData\Local\Temp\Temp3_gmer.zip\gmer.exe [1312](2014-01-28 16:36:04) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions NOEXECUTE=OPTIN USEPLATFORMCLOCK Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\MSBDD_IVM61071109413621114_24_07DB_AF_1414_008D_FFFFFFFF_FFFFFFFF_0^BAF10A2E9627A817D4E028B865673655@Timestamp 0xE6 0x04 0x3B 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 608 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900010 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1112602844 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 32 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 422027474 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 15765 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 7898e37a-992f-4e1e-9802-7c53539 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\amdsbs\Parameters\Device-1@RaidCount 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{6e5d3a50-d1f9-4c10-a399-ab251a7e956a}@LastProbeTime 1410470543 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1349 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 221 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{57D45ABB-CD7A-4B6D-A0C9-2CA4125A4B8D}@LeaseObtainedTime 1410463343 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{57D45ABB-CD7A-4B6D-A0C9-2CA4125A4B8D}@T1 1410506543 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{57D45ABB-CD7A-4B6D-A0C9-2CA4125A4B8D}@T2 1410538943 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{57D45ABB-CD7A-4B6D-A0C9-2CA4125A4B8D}@LeaseTerminatesTime 1410549743 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Grid@Layout_MaximumAvailableHeightCells 12 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Grid@Layout_AvailableHeightCells 12 ---- EOF - GMER 2.1 ----