GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-01 18:23:54 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 ST1000DM003-1CH162 rev.CC49 931,51GB Running: omyiqhrp.exe; Driver: C:\Users\Hajduk\AppData\Local\Temp\pxldapow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000192d00 15 bytes [00, 2E, F7, 01, 80, FC, 6F, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000192d10 11 bytes [00, F8, FB, FF, 00, 09, C3, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\LogonUI.exe[2360] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2360] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2360] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2360] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[452] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[452] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[452] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[452] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3364] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3364] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3364] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3364] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3356] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3356] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3356] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3356] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2104] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2104] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2104] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2104] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[696] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[696] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[696] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[696] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3556] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3556] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3556] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3556] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[5476] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[5476] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[5476] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[5476] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2584] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2584] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2584] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2584] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[1504] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[1504] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[1504] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[1504] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[5964] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[5964] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[5964] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[5964] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3712] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3712] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3712] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[3712] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2952] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2952] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2952] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[2952] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[6068] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[6068] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[6068] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[6068] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[820] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[820] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[820] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[820] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[1868] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[1868] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[1868] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\System32\LogonUI.exe[1868] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\system32\dwm.exe[4740] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\system32\dwm.exe[4740] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\system32\dwm.exe[4740] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\system32\dwm.exe[4740] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\Explorer.EXE[4964] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fffaebb169a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\Explorer.EXE[4964] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fffaebb16a2 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\Explorer.EXE[4964] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fffaebb181a 4 bytes [BB, AE, FF, 7F] .text C:\WINDOWS\Explorer.EXE[4964] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fffaebb1832 4 bytes [BB, AE, FF, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [3284:4532] fffff960008cdb90 ---- Processes - GMER 2.1 ---- Process C:\Users\Hajduk\AppData\Roaming\Microsoft\mstsc.exe (*** suspicious ***) @ C:\Users\Hajduk\AppData\Roaming\Microsoft\mstsc.exe [2888](2014-09-27 15:47:16) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1691582401 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AE856DA4-9673-4350-B53F-C3239FE7DA1E}@LeaseObtainedTime 1412178447 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AE856DA4-9673-4350-B53F-C3239FE7DA1E}@T1 1412178725 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AE856DA4-9673-4350-B53F-C3239FE7DA1E}@T2 1412178950 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AE856DA4-9673-4350-B53F-C3239FE7DA1E}@LeaseTerminatesTime 1412179047 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{11065fe5-b19b-11e3-9bf4-74d4350b6f6f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{11065fe5-b19b-11e3-9bf4-74d4350b6f6f}@Drive Type 1048593 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{11065fe5-b19b-11e3-9bf4-74d4350b6f6f}@IsImapiDataBurnSupported 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{11065fe5-b19b-11e3-9bf4-74d4350b6f6f}@Active 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 12 ---- Files - GMER 2.1 ---- File C:\Users\Hajduk\AppData\Local\Mozilla\Firefox\Profiles\7ambhzp4.default-1397855190287\cache2\entries\03415A7E8B3AD4EF938285B3E9B3CBA00F32659E 252 bytes File C:\Users\Hajduk\AppData\Local\Mozilla\Firefox\Profiles\7ambhzp4.default-1397855190287\cache2\entries\E0CD3E7A089B511D921A0F5ECA3DDA903D31F6C8 3390 bytes ---- EOF - GMER 2.1 ----