GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-13 13:13:59 Windows 6.3.9600 x64 \Device\Harddisk1\DR1 -> \Device\0000002b PLEXTOR_PX-128M5Pro rev.1.05 119,24GB Running: zw6rf0om.exe; Driver: C:\Users\Daniel\AppData\Local\Temp\kxdyrpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\ntoskrnl.exe!NtCallbackReturn + 960 fffff8000f765d00 12 bytes [C0, 52, AC, FF, 02, AD, 4E, ...] .text C:\Windows\system32\ntoskrnl.exe!NtCallbackReturn + 973 fffff8000f765d0d 23 bytes [B2, A2, 02, 00, C4, FF, FF, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[1116] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 714 00007ff8fe8d154a 4 bytes [8D, FE, F8, 7F] .text C:\Windows\Explorer.EXE[1116] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 722 00007ff8fe8d1552 4 bytes [8D, FE, F8, 7F] .text C:\Windows\Explorer.EXE[1116] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 98 00007ff8fe8d162a 4 bytes [8D, FE, F8, 7F] .text C:\Windows\Explorer.EXE[1116] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 122 00007ff8fe8d1642 4 bytes [8D, FE, F8, 7F] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [468:792] fffff96000894b90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions NOEXECUTE=OPTIN USEPLATFORMCLOCK Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 560 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3899993 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1000008559 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 15 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 422166205 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 15798 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 20ba3d8b-5655-4f03-98c4-51a38c5 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 5 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\UnitedVideo\SERVICES\BASICDISPLAY@DefaultSettings.XResolution 1920 Reg HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\UnitedVideo\SERVICES\BASICDISPLAY@DefaultSettings.YResolution 1080 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{df5ff3a7-1b42-4dfc-8567-c7e57f4f428b}@LastProbeTime 1410612606 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1084 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 66 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F22A7006-329B-4EA9-85CF-4D5D571884FD}@LeaseObtainedTime 1410605405 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F22A7006-329B-4EA9-85CF-4D5D571884FD}@T1 1410648605 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F22A7006-329B-4EA9-85CF-4D5D571884FD}@T2 1410681005 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F22A7006-329B-4EA9-85CF-4D5D571884FD}@LeaseTerminatesTime 1410691805 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@Hidden 2 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 ---- Files - GMER 2.1 ---- File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\705F408D48B6D8353D67E09400F5802AAC01C6F5 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\B25664EAE9AC67AE53098AF0B67E8CF2D79F4B3D 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\F37BBD74BA0F53E678A7D1A1DC49090FEBCA9C8A 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\B65C1C6E42CAB1485CE5C455325BC86454AFB681 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\E1018C2EFB7999B2AA975BBE49307783453D2E1B 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\85EF63E0D44CD7CBA02D39E224E57F4480AB542F 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\55A6383E5FEA1385779F4F90E2B8D5563F5D8717 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\0F1339AC445E4C30932B7F80F40269905A9734B6 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\F572365F9E6136B95D59425E860A2D07AB12A7FA 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\2476050FAE3E8980801F5245988B742D6C532567 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\4F683061E383494FD2605858D5B5DD20B2313999 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\7F16828FFAB48D2DDF4A3407F101BAC9329B52A1 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\883B9DA41FBD45B6DE52DB74026E70636942BC09 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\36B7993234B2A2A80869F2C1202A9BFF295685E2 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\316835509F610CC77C7D12AC079C1937F446542B 0 bytes File C:\Users\Daniel\AppData\Local\Mozilla\Firefox\Profiles\d1ysudkk.default\cache2\entries\BBEDE12AAAFA83CAD8E3431A42D17382CC29B9B9 0 bytes File C:\Users\Daniel\AppData\Local\Temp\tmpC0AD.tmp 0 bytes ---- EOF - GMER 2.1 ----