GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-09 16:56:08 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000026 KINGSTON_SH103S3120G rev.541ABBF0 111,79GB Running: 7yhmxwgd.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\pxldipog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[848] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa6dd8169a 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\system32\dwm.exe[848] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa6dd816a2 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\system32\dwm.exe[848] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa6dd8181a 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\system32\dwm.exe[848] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa6dd81832 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa6dd8169a 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa6dd816a2 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa6dd8181a 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa6dd81832 4 bytes [D8, 6D, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1644] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffa6dd8169a 4 bytes [D8, 6D, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1644] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffa6dd816a2 4 bytes [D8, 6D, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1644] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ffa6dd8181a 4 bytes [D8, 6D, FA, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1644] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ffa6dd81832 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\Explorer.EXE[2428] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa6dd8169a 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\Explorer.EXE[2428] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa6dd816a2 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\Explorer.EXE[2428] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa6dd8181a 4 bytes [D8, 6D, FA, 7F] .text C:\Windows\Explorer.EXE[2428] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa6dd81832 4 bytes [D8, 6D, FA, 7F] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [496:520] fffff960009c4b90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xFF 0x2E 0xE8 0x14 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xD4 0x9A 0xD6 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 15 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SAM0302HS3P801176_21_07D7_E5^A5C524B69BD0CB2D58A542061B66EF6F@Timestamp 0xEF 0xFF 0x24 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 544 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3873793 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1143335563 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 18 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 432133810 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 9128 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 1f23e962-3f2c-4790-aee4-4684b27 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{3fdf4913-2845-43c5-aa66-cd644a8d983c}@LastProbeTime 1420815833 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?sty ?09 ?15, 03:04:40??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 575 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 47 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 17 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{85965589-978F-4728-86CD-45346B52567A}@LeaseObtainedTime 1420812233 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{85965589-978F-4728-86CD-45346B52567A}@T1 1420855433 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{85965589-978F-4728-86CD-45346B52567A}@T2 1420887833 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{85965589-978F-4728-86CD-45346B52567A}@LeaseTerminatesTime 1420898633 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 12051 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 181 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x15 0x58 0x90 0xE0 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x15 0x58 0x90 0xE0 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x15 0x58 0x90 0xE0 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 869653 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 143 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x15 0x58 0x90 0xE0 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63556408495213%3bID%3d72B7DABF54824EA3!104%3bLR%3d63556408330780%3bEP%3d4%3bTD%3dTrue%3bSO%3d0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0xA6 0x4E 0xA7 0xE1 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xC5 0x05 0x22 0xEC ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastStoreActivity 0xF8 0xEA 0xA9 0x23 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0x4E 0x8B 0xF0 0x22 ... ---- EOF - GMER 2.1 ----