GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-21 22:15:49 Windows 6.3.9600 x64 \Device\Harddisk0\DR0 -> \Device\00000038 Hitachi_HTS545050A7E380 rev.GG2OA6C0 465.76GB Running: 7t9j7msh.exe; Driver: C:\Users\Aneta\AppData\Local\Temp\uxldrpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\ntoskrnl.exe!NtCallbackReturn + 960 fffff8007a1cc700 12 bytes [80, CA, A9, FF, 82, 19, B1, ...] .text C:\WINDOWS\system32\ntoskrnl.exe!NtCallbackReturn + 973 fffff8007a1cc70d 39 bytes [EF, 5B, 02, 00, C4, FF, FF, ...] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!memset] [ce3b490000fd8335] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_purecall] [41f6ffffd1cb840f] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!wcsncpy_s] [ffffd1b2840f201c] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!realloc] [d1a8820f02197980] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_wcsicmp] [508d10498b48ffff] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!malloc] [e320058d4c1d] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!calloc] [d8b4800002c8fe8] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!memmove_s] [ffd189e90000fd4c] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!mbstowcs] [fd400d8b48ff] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!??_U@YAPEAX_K@Z] [480000fd39058d48] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!free] [201c41f62174c83b] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!??_V@YAXPEAX@Z] [1572031979801b74] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!__CxxFrameHandler3] [e5058d4c10498b48] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_CxxThrowException] [1aba0000e2] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!??2@YAPEAX_K@Z] [548b4800002c4fe8] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_lock] [8d4c34244c8b3824] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_unlock] [3024448d4c50244c] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!__dllonexit] [95302444c7] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_onexit] [85f88b0000af27e8] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_XcptFilter] [fce60d8b485479c0] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_amsg_exit] [fcdf358d4c0000] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_initterm] [d113840fce3b4900] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [840f201c41f6ffff] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!memcpy_s] [2197980ffffd109] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_errno] [8b48ffffd0ff820f] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!wcsrchr] [e27f058d4c1049] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!??3@YAXPEAX@Z] [8b440000001bba00] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!memcpy] [8b4800002c0ae8c8] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[USER32.dll!UnregisterClassA] [24448d4100000218] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[USER32.dll!CharNextW] [4cc5030274ed8502] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[USER32.dll!AllowSetForegroundWindow] [8b49f88b44002c8d] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegCreateKeyExW] [7417f98304488b1b] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegSetValueExW] [39d2330f75c98504] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegOpenKeyExW] [e9c38b480a750c58] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegEnumKeyExW] [8d4cd233fffffda2] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegQueryInfoKeyW] [d63b4d0001000335] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegCloseKey] [f641fffff94a840f] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!CreateProcessAsUserW] [f641fffff91a840f] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!GetUserNameW] [fff90f840f101c42] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegDeleteValueW] [24bafffff904] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetProcessHeap] [4c01c0f64150247c] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!Sleep] [2454894cd58b49c5] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!HeapDestroy] [7c894430244c8938] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!DisableThreadLibraryCalls] [4420244c89442824] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!FindResourceExW] [e8cb8b486c244c8b] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!LoadResource] [c085d88b000051e0] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!SizeofResource] [ff57158b4c4e79] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!MultiByteToWideChar] [ff50358d4c00] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!RaiseException] [197a80412674101c] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!lstrcmpiW] [75058d4c104a8b49] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!RtlCaptureContext] [85e8c88b440000e4] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!RtlLookupFunctionEntry] [ff1e158b4c00002e] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!RtlVirtualUnwind] [a39be8cb8b0000] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!UnhandledExceptionFilter] [ffffd223e9d88b00] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [330000ff09158b4c] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetCurrentProcess] [ff00358d4cd2] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!TerminateProcess] [ffffffd20ee9da8b] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!QueryPerformanceCounter] [448b4c0001213b15] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetCurrentProcessId] [ffc88b48d2337824] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetCurrentThreadId] [158b4c0001213b15] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [f6e9d2330000fedc] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetTickCount] [4197a8041ffffd1] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!OutputDebugStringA] [8b49ffffd200820f] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!HeapFree] [e407058d4c104a] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetModuleFileNameW] [8b440000002eba00] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!CreateFileW] [e9c28bffffd1e1e9] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetLastError] [197980ccffffd1ed] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!DeviceIoControl] [48ffffd26a820f04] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!CloseHandle] [e456058d4c10498b] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!SetEnvironmentVariableW] [e82024748948cb8b] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!ExpandEnvironmentStringsW] [750d8b480000ab98] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!WTSGetActiveConsoleSessionId] [ffffd241e90000fe] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!CreateProcessW] [a2820f04197980cc] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!WaitForSingleObject] [18baffffd2] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetExitCodeProcess] [480000001cba05eb] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetModuleHandleW] [e416058d4c10498b] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!FreeLibrary] [4800002d85e80000] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetProcAddress] [7ae90000fe420d8b] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!LoadLibraryExW] [4024748b4cffffd2] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiGetDeviceInterfaceAlias] [74c83b480000fe1c] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiOpenDeviceInterfaceW] [801a74201c41f620] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiCreateDeviceInfoList] [498b481472031979] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiGetClassDevsW] [58d4c19568d4110] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiGetDeviceInterfaceDetailW] [2d33e80000e3c4] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiEnumDeviceInterfaces] [85453424748b4400] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiGetClassDevsExW] [38247c8b4c2a74f6] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiGetCustomDevicePropertyW] [1d7300000096fd81] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiDestroyDeviceInfoList] [f42001c8d48c58b] IAT C:\WINDOWS\Explorer.EXE[1188] @ C:\Windows\System32\EhStorAPI.dll[WTSAPI32.dll!WTSQueryUserToken] [143850fc08548d8] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [492:516] fffff960008412d0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----