GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-12 01:19:07 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM012_HN-M500MBB rev.2BA30001 465.76GB Running: gmer.exe; Driver: C:\Users\bf\AppData\Local\Temp\pxldqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\atiesrxx.exe[832] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9a9fe169a 4 bytes [FE, A9, F9, 7F] .text C:\Windows\system32\atiesrxx.exe[832] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9a9fe16a2 4 bytes [FE, A9, F9, 7F] .text C:\Windows\system32\atiesrxx.exe[832] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9a9fe181a 4 bytes [FE, A9, F9, 7F] .text C:\Windows\system32\atiesrxx.exe[832] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9a9fe1832 4 bytes [FE, A9, F9, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1400] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ff9a9fe169a 4 bytes [FE, A9, F9, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1400] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ff9a9fe16a2 4 bytes [FE, A9, F9, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1400] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ff9a9fe181a 4 bytes [FE, A9, F9, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1400] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ff9a9fe1832 4 bytes [FE, A9, F9, 7F] .text C:\Windows\system32\atieclxx.exe[1868] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9a9fe169a 4 bytes [FE, A9, F9, 7F] .text C:\Windows\system32\atieclxx.exe[1868] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9a9fe16a2 4 bytes [FE, A9, F9, 7F] .text C:\Windows\system32\atieclxx.exe[1868] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9a9fe181a 4 bytes [FE, A9, F9, 7F] .text C:\Windows\system32\atieclxx.exe[1868] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9a9fe1832 4 bytes [FE, A9, F9, 7F] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [472:496] fffff960008ea4d0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9877E72B-AFC7-43A0-9951-73A43F178483}\mpengine.dll (*** suspicious ***) @ C:\Program Files\Windows Defender\MsMpEng.exe [1400] (Microsoft Malware Protection Engine/Microsoft Corporation)(2014-03-11 16:40:21) 00007ff99fd60000 Process C:\Users\bf\AppData\Local\Temp\Temp4_gmer.zip\gmer.exe (*** suspicious ***) @ C:\Users\bf\AppData\Local\Temp\Temp4_gmer.zip\gmer.exe [1812](2014-01-29 01:36:04) 0000000000400000 ---- Services - GMER 2.1 ---- Service C:\Windows\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x3F 0xFB 0xE5 0x7E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xCA 0xA8 0x01 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xD6 0xBE 0xEA 0x7E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x2E 0x70 0x06 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-US 6 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD02F70_00_07DA_0E^9F3C8323518088394B1C1D6ACF1D201E@Timestamp 0xBA 0xD5 0x50 0x0C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 468 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{06DDBA98-7A52-40A0-AB8C-D49CD6DFE834}\Connection@Name Reusable ISATAP Interface {06DDBA98-7A52-40A0-AB8C-D49CD6DFE834} Reg HKLM\SYSTEM\CurrentControlSet\Control\PnP@DisableLKG 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3899985 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -861054373 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 8 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 406422055 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 7dc24338-9ec1-4290-9b1b-bded9de Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events CreateSession Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\acpiex\Parameters\Wdf@TimeOfLastSqmLog 0x5D 0xA4 0xDB 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\AmdPPM\Parameters\Wdf@TimeOfLastSqmLog 0xA5 0xD5 0x8B 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastSqmLog 0x21 0xA6 0x72 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastSqmLog 0xA5 0xD5 0x8B 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{ea8aca84-f78a-43dd-a64d-805195b1b759}@LastProbeTime 1394458275 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastSqmLog 0x70 0x4D 0xA1 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{06DDBA98-7A52-40A0-AB8C-D49CD6DFE834}@InterfaceName Reusable ISATAP Interface {06DDBA98-7A52-40A0-AB8C-D49CD6DFE834} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{06DDBA98-7A52-40A0-AB8C-D49CD6DFE834}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{06DDBA98-7A52-40A0-AB8C-D49CD6DFE834}@DefunctTimestamp 0xD2 0xFD 0x1F 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastSqmLog 0x34 0xF5 0x37 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastSqmLog 0x50 0x05 0xFD 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastSqmLog 0xCA 0x79 0xA2 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PEAUTH\Parameters\Wdf@TimeOfLastSqmLog 0xB6 0xDA 0x5A 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Mon?, ?Mar ?10 ?14, 02:12:29 PM??g???????g???????:???????g???? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 686 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 36 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 5 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B731FB25-6A5C-4AC1-B5F0-CF30B2A24A6D}@DhcpIPAddress 192.168.1.9 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B731FB25-6A5C-4AC1-B5F0-CF30B2A24A6D}@LeaseObtainedTime 1394589995 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B731FB25-6A5C-4AC1-B5F0-CF30B2A24A6D}@T1 1394633195 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B731FB25-6A5C-4AC1-B5F0-CF30B2A24A6D}@T2 1394665595 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B731FB25-6A5C-4AC1-B5F0-CF30B2A24A6D}@LeaseTerminatesTime 1394676395 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKLM\SYSTEM\CurrentControlSet\Services\UCX01000\Parameters\Wdf@TimeOfLastSqmLog 0x1F 0xFD 0x73 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastSqmLog 0xA5 0xD5 0x8B 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastSqmLog 0x19 0x0B 0xE7 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastSqmLog 0x44 0x09 0x75 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastSqmLog 0x31 0xB0 0x58 0x07 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastSqmLog 0x21 0xA6 0x72 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@ScreenshotIndex 40 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Package Uninstallation@Microsoft.ZuneVideo_8wekyb3d8bbwe 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@Report C:\AdwCleaner\AdwCleaner[S0].txt ---- EOF - GMER 2.1 ----