GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-04 11:57:57 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500420AS rev.0005HPM1 465,76GB Running: mergu70b.exe; Driver: C:\Users\MIC\AppData\Local\Temp\uxtdypoc.sys ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077721401 2 bytes JMP 75ddeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077721419 2 bytes JMP 75deb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077721431 2 bytes JMP 75e68609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007772144a 2 bytes CALL 75dc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777214dd 2 bytes JMP 75e67efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777214f5 2 bytes JMP 75e680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007772150d 2 bytes JMP 75e67df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077721525 2 bytes JMP 75e681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007772153d 2 bytes JMP 75ddf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077721555 2 bytes JMP 75deb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007772156d 2 bytes JMP 75e686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077721585 2 bytes JMP 75e68222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007772159d 2 bytes JMP 75e67db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777215b5 2 bytes JMP 75ddf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777215cd 2 bytes JMP 75deb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777216b2 2 bytes JMP 75e68584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe[984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777216bd 2 bytes JMP 75e67d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077721401 2 bytes JMP 75ddeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077721419 2 bytes JMP 75deb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077721431 2 bytes JMP 75e68609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007772144a 2 bytes CALL 75dc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777214dd 2 bytes JMP 75e67efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777214f5 2 bytes JMP 75e680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007772150d 2 bytes JMP 75e67df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077721525 2 bytes JMP 75e681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007772153d 2 bytes JMP 75ddf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077721555 2 bytes JMP 75deb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007772156d 2 bytes JMP 75e686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077721585 2 bytes JMP 75e68222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007772159d 2 bytes JMP 75e67db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777215b5 2 bytes JMP 75ddf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777215cd 2 bytes JMP 75deb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777216b2 2 bytes JMP 75e68584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777216bd 2 bytes JMP 75e67d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077721401 2 bytes JMP 75ddeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077721419 2 bytes JMP 75deb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077721431 2 bytes JMP 75e68609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007772144a 2 bytes CALL 75dc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777214dd 2 bytes JMP 75e67efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777214f5 2 bytes JMP 75e680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007772150d 2 bytes JMP 75e67df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077721525 2 bytes JMP 75e681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007772153d 2 bytes JMP 75ddf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077721555 2 bytes JMP 75deb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007772156d 2 bytes JMP 75e686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077721585 2 bytes JMP 75e68222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007772159d 2 bytes JMP 75e67db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777215b5 2 bytes JMP 75ddf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777215cd 2 bytes JMP 75deb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777216b2 2 bytes JMP 75e68584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777216bd 2 bytes JMP 75e67d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077721401 2 bytes JMP 75ddeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077721419 2 bytes JMP 75deb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077721431 2 bytes JMP 75e68609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007772144a 2 bytes CALL 75dc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777214dd 2 bytes JMP 75e67efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777214f5 2 bytes JMP 75e680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007772150d 2 bytes JMP 75e67df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077721525 2 bytes JMP 75e681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007772153d 2 bytes JMP 75ddf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077721555 2 bytes JMP 75deb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007772156d 2 bytes JMP 75e686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077721585 2 bytes JMP 75e68222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007772159d 2 bytes JMP 75e67db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777215b5 2 bytes JMP 75ddf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777215cd 2 bytes JMP 75deb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777216b2 2 bytes JMP 75e68584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777216bd 2 bytes JMP 75e67d4d C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [1644] entry point in ".rdata" section 0000000073e671e6 ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\winlogon.exe [488:552] 000007fefd3ba5e4 Thread C:\Windows\system32\winlogon.exe [488:556] 000007fefd3ba5e4 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???h????????????\A??Data\Local\Temp\ose00000.exe?????\C:\ProgramData\Microsoft Help\Rgstrtn.lck?????? ???????????????????~?,??????????ro???e e??LocalSystem?????? ?????????????????????,??????.???????????????s??????????????????????????????????????????????????????????????????????????e???????????????????d??????????????? ?????????????????????,?????????????????f??????????????? ?????????????????????0??L????????? ???????????????????????????????? ?????????????????????0????????????&???????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????????????????????????????????????hidirkbd.inf:MicrosoftHw.NTamd64...1:eHome_106_Keyboard_Inst:6.1.7600.16385::hid\irdevicev2&col07???????????????????? ?????????????????????0????????????????????????????????? ?????????????????????0????????????????????????????????????????????????????????????????????? ?????????????????????0????????????????????????????????????????? ?????????????????????0??????????????????????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002713390585 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002713390585 (not active ControlSet) ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Windows\winsxs\x86_netfx-aspnet_defwsdlhlpgen_b03f5f7f11d50a3a_6.1.7600.16385_none_0d1a731008072b5c 0 bytes File C:\Windows\winsxs\x86_netfx-aspnet_defwsdlhlpgen_b03f5f7f11d50a3a_6.1.7600.16385_none_0d1a731008072b5c\DefaultWsdlHelpGenerator.aspx 70433 bytes ---- EOF - GMER 2.2 ----