GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-12 18:28:48 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 ST1000DM003-1CH162 rev.CC49 931,51GB Running: gmer.exe; Driver: C:\Users\Hajduk\AppData\Local\Temp\pxldapow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000226700 15 bytes [40, B5, F7, 01, 80, 39, 70, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000226710 11 bytes [00, 15, FC, FF, 00, 27, C3, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\LogonUI.exe[2264] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaca7a169a 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2264] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaca7a16a2 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2264] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaca7a181a 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2264] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaca7a1832 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\LogonUI.exe[4200] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaca7a169a 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\LogonUI.exe[4200] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaca7a16a2 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\LogonUI.exe[4200] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaca7a181a 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\LogonUI.exe[4200] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaca7a1832 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\dwm.exe[3548] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaca7a169a 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\dwm.exe[3548] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaca7a16a2 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\dwm.exe[3548] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaca7a181a 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\System32\dwm.exe[3548] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaca7a1832 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[1128] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaca7a169a 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[1128] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaca7a16a2 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[1128] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaca7a181a 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[1128] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaca7a1832 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\Explorer.EXE[6000] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaca7a169a 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\Explorer.EXE[6000] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaca7a16a2 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\Explorer.EXE[6000] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaca7a181a 4 bytes [7A, CA, FA, 7F] .text C:\WINDOWS\Explorer.EXE[6000] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaca7a1832 4 bytes [7A, CA, FA, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\svchost.exe [1472:2420] 00007ffabe494608 Thread C:\WINDOWS\system32\svchost.exe [1472:1836] 00007ffabe491040 Thread C:\WINDOWS\system32\csrss.exe [4512:5488] fffff96000942b90 ---- Processes - GMER 2.1 ---- Process C:\Users\Hajduk\AppData\Local\Temp\Rar$EXa0.640\gmer.exe (*** suspicious ***) @ C:\Users\Hajduk\AppData\Local\Temp\Rar$EXa0.640\gmer.exe [3416](2014-09-12 14:53:19) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\BNQ7807F5805226SL0_14_07D8_A8^CAE6B87B3330D4C1514D94EBE4D15582@Timestamp 0x01 0x3B 0x82 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 632649267 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 7710 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 12126 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 511 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 521 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 8223 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 319 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 8423 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 224 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 8744 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 8753 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 11732 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 8750 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 12115 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 3234 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 66 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 11485 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 2976 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeInitTime 132 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeSharedBufferTime 10 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 366 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 25 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 390265 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x00 0x41 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 20693 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0xB6 0x26 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 190 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 201 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 128 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 287 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 98 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 2994 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0xFA 0x24 0x89 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8292 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2954 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AE856DA4-9673-4350-B53F-C3239FE7DA1E}@LeaseObtainedTime 1410531512 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AE856DA4-9673-4350-B53F-C3239FE7DA1E}@T1 1410531793 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AE856DA4-9673-4350-B53F-C3239FE7DA1E}@T2 1410532018 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AE856DA4-9673-4350-B53F-C3239FE7DA1E}@LeaseTerminatesTime 1410532112 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 29 ---- Files - GMER 2.1 ---- File C:\Users\Hajduk\AppData\Local\Mozilla\Firefox\Profiles\7ambhzp4.default-1397855190287\cache2\entries\9B4360D2A19CB123C3134F0DBA8D1DDAF40E20A4 252 bytes ---- EOF - GMER 2.1 ----