GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-08 20:48:49 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: ze3c8ek5.exe; Driver: C:\Users\KAMILK~1\AppData\Local\Temp\pxldqpod.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 8384CF05 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83887292 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[704] shell32.DLL!RealDriveType + 173D 76E5FCA0 4 Bytes [80, C0, 07, 67] .text C:\Program Files\Internet Explorer\iexplore.exe[704] shell32.DLL!RealDriveType + 1745 76E5FCA8 8 Bytes [10, 12, 07, 67, 50, C1, 07, ...] {ADC [EDX], DL; POP ES; PUSH EAX; ROL DWORD [EDI], 0x67} .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1832] kernel32.dll!SetUnhandledExceptionFilter 7666F6AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Internet Explorer\iexplore.exe[3700] shell32.DLL!RealDriveType + 173D 76E5FCA0 4 Bytes [80, C0, 07, 67] .text C:\Program Files\Internet Explorer\iexplore.exe[3700] shell32.DLL!RealDriveType + 1745 76E5FCA8 8 Bytes [10, 12, 07, 67, 50, C1, 07, ...] {ADC [EDX], DL; POP ES; PUSH EAX; ROL DWORD [EDI], 0x67} .text C:\Program Files\CCleaner\CCleaner.exe[4256] USER32.dll!SetScrollRange 76558E93 5 Bytes JMP 01479B11 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4256] USER32.dll!GetScrollInfo 76562D7B 5 Bytes JMP 01479A98 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4256] USER32.dll!SetScrollInfo 765648B2 5 Bytes JMP 01479B4E C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4256] USER32.dll!GetScrollRange 7658042A 5 Bytes JMP 01479A2F C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4256] USER32.dll!SetScrollPos 7658048E 5 Bytes JMP 01479A04 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4256] USER32.dll!GetScrollPos 76580E13 5 Bytes JMP 01479A6D C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4256] USER32.dll!EnableScrollBar 7658199E 5 Bytes JMP 01479B88 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4256] USER32.dll!ShowScrollBar 76583C59 5 Bytes JMP 01479AD1 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\Internet Explorer\iexplore.exe[4692] shell32.DLL!RealDriveType + 173D 76E5FCA0 4 Bytes [80, C0, 07, 67] .text C:\Program Files\Internet Explorer\iexplore.exe[4692] shell32.DLL!RealDriveType + 1745 76E5FCA8 8 Bytes [10, 12, 07, 67, 50, C1, 07, ...] {ADC [EDX], DL; POP ES; PUSH EAX; ROL DWORD [EDI], 0x67} .text C:\Program Files\Internet Explorer\iexplore.exe[6596] shell32.DLL!RealDriveType + 173D 76E5FCA0 4 Bytes [80, C0, 07, 67] .text C:\Program Files\Internet Explorer\iexplore.exe[6596] shell32.DLL!RealDriveType + 1745 76E5FCA8 8 Bytes [10, 12, 07, 67, 50, C1, 07, ...] {ADC [EDX], DL; POP ES; PUSH EAX; ROL DWORD [EDI], 0x67} .text C:\Program Files\Mozilla Firefox\firefox.exe[7452] ntdll.dll!LdrLoadDll 77B22101 5 Bytes JMP 74AD64A0 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7452] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 766695DE 7 Bytes JMP 5F6887EB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7452] kernel32.dll!QueryPerformanceCounter + 13 7666C5E5 7 Bytes JMP 5F6895DD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7452] kernel32.dll!LoadAppInitDlls + 355 7666F6A6 2 Bytes JMP 5F3C870F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7452] kernel32.dll!LoadAppInitDlls + 358 7666F6A9 4 Bytes CALL 01BCF099 .text C:\Program Files\Mozilla Firefox\firefox.exe[7452] USER32.dll!CreateWindowExA 7655BF10 5 Bytes JMP 5F80CAEA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7452] USER32.dll!CreateWindowExW 7655EC4C 5 Bytes JMP 5F37C7B8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7452] USER32.dll!GetWindowInfo 76564B36 5 Bytes JMP 6029D518 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[7452] GDI32.dll!GetViewportOrgEx + 26C 7604876B 7 Bytes JMP 5F688097 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.2 ---- IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74005661] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [7400571F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740224BF] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [7402253A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7401859B] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74014D4F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740150F6] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740151CB] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [740166F8] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740182F2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74018841] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [740190A2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7401E245] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll IAT C:\windows\Explorer.EXE[2932] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74014C81] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Threads - GMER 2.2 ---- Thread System [4:844] 88A5D340 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cd5282 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cd5282@0025e7139fb4 0xD8 0x49 0xDF 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cd5282@80501bcf39ed 0xDD 0xD7 0xC1 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cd5282@a8922c289ca6 0xDB 0x15 0x3E 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cd5282@001f5d5a947c 0xA2 0x62 0x0E 0x5B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cd5282 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cd5282@0025e7139fb4 0xD8 0x49 0xDF 0x0D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cd5282@80501bcf39ed 0xDD 0xD7 0xC1 0x58 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cd5282@a8922c289ca6 0xDB 0x15 0x3E 0x17 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cd5282@001f5d5a947c 0xA2 0x62 0x0E 0x5B ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\ScenarioOccurrences\2@TotalOccurrences 4954 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\ScenarioOccurrences\2@OccurrencesLessThanOrEqualTo100ScaledTPI 1790 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\ScenarioOccurrences\20@TotalOccurrences 8909 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\ScenarioOccurrences\20@OccurrencesLessThanOrEqualTo25ScaledTPI 1508 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\ScenarioOccurrences\278@OccurrencesLessThanOrEqualTo0ScaledTPI 1592 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\ScenarioOccurrences\278@TotalOccurrences 1599 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\ScenarioOccurrences\279@TotalOccurrences 1714 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\ScenarioOccurrences\279@OccurrencesLessThanOrEqualTo100ScaledTPI 1210 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@CDCAA206 4046 ---- Files - GMER 2.2 ---- File C:\Windows\System32\NDF\{38063EB1-DCE9-4A29-BB32-8221C1E3142F}-Session-11082016-1925.etl 262144 bytes ---- EOF - GMER 2.2 ----