GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-17 00:46:09 Windows 6.3.9600 x64 \Device\Harddisk0\DR0 -> \Device\0000002a KINGSTON_SH103S3120G rev.506ABBF0 111,79GB Running: hvt6nq7m.exe; Driver: C:\Users\galonpzw\AppData\Local\Temp\kwtiakob.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\Explorer.EXE[1092] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 714 00007ffded52154a 4 bytes [52, ED, FD, 7F] .text C:\WINDOWS\Explorer.EXE[1092] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 722 00007ffded521552 4 bytes [52, ED, FD, 7F] .text C:\WINDOWS\Explorer.EXE[1092] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 98 00007ffded52162a 4 bytes [52, ED, FD, 7F] .text C:\WINDOWS\Explorer.EXE[1092] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 122 00007ffded521642 4 bytes [52, ED, FD, 7F] .text C:\WINDOWS\Explorer.EXE[1092] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffdf4e3169a 4 bytes [E3, F4, FD, 7F] .text C:\WINDOWS\Explorer.EXE[1092] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffdf4e316a2 4 bytes [E3, F4, FD, 7F] .text C:\WINDOWS\Explorer.EXE[1092] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffdf4e3181a 4 bytes [E3, F4, FD, 7F] .text C:\WINDOWS\Explorer.EXE[1092] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffdf4e31832 4 bytes [E3, F4, FD, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [472:496] fffff960009bbb90 ---- Processes - GMER 2.1 ---- Library C:\Users\galonpzw\AppData\Roaming\Copy\overlay\CopyShExt.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [1092] (Copy Shell Extensions/Barracuda Networks, Inc.)(2014-08-14 18:20:35) 00007ffde5920000 Library C:\Users\galonpzw\AppData\Roaming\Copy\overlay\Brt.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [1092](2014-08-14 18:20:35) 00007ffde3ca0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions NOEXECUTE=OPTIN DISABLEDYNAMICTICK Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\MSBDD_NOEDID_1414_008D_FFFFFFFF_FFFFFFFF_0^CC77560BC3634A486857716562968286@Timestamp 0x9A 0x92 0x0C 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 632 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900105 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -481752209 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 127 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 424989177 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 9777 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 26ac1e34-ab6d-4c53-b0f9-5c3fc4c Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\acpiex\Parameters\Wdf@TimeOfLastSqmLog 0xB3 0x0A 0xCE 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\amdsbs\Parameters\Device-1@RaidCount 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastSqmLog 0xEB 0x1A 0x1A 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastSqmLog 0x3D 0xE2 0xC1 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{cdc2ae5b-75a8-45c8-ae17-b4cf5c1a35cc}@LastProbeTime 1413503328 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastSqmLog 0xD1 0x57 0xD7 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastSqmLog 0xE3 0x31 0xD5 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastSqmLog 0x17 0x56 0x15 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rzendpt\Parameters\Wdf@TimeOfLastSqmLog 0x68 0xA0 0x75 0x8C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rzmpos\Parameters\Wdf@TimeOfLastSqmLog 0xCE 0x3B 0x73 0x8C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rzudd\Parameters\Wdf@TimeOfLastSqmLog 0x68 0xA0 0x75 0x8C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3633 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 687 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F414BB6D-5952-4985-B2C2-740933FBED7D}@LeaseObtainedTime 1413496124 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F414BB6D-5952-4985-B2C2-740933FBED7D}@T1 1413625724 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F414BB6D-5952-4985-B2C2-740933FBED7D}@T2 1413722924 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F414BB6D-5952-4985-B2C2-740933FBED7D}@LeaseTerminatesTime 1413755324 Reg HKLM\SYSTEM\CurrentControlSet\Services\UCX01000\Parameters\Wdf@TimeOfLastSqmLog 0xDB 0x7F 0xBF 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastSqmLog 0x3D 0xE2 0xC1 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastSqmLog 0xA4 0xDB 0x2C 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastSqmLog 0x82 0xCC 0x0B 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastSqmLog 0x38 0x6C 0xEF 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Grid@Layout_MaximumAvailableHeightCells 12 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Grid@Layout_AvailableHeightCells 12 ---- Files - GMER 2.1 ---- File C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini 47638 bytes ---- EOF - GMER 2.1 ----