GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2015-01-05 20:20:24 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b SanDisk_SDSSDP128G rev.2.0.0 119,24GB Running: m57g1hli.exe; Driver: C:\Users\Kaja\AppData\Local\Temp\pxldqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2132] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd6e03169a 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2132] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd6e0316a2 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2132] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd6e03181a 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2132] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd6e031832 4 bytes [03, 6E, FD, 7F] .text C:\Windows\system32\dwm.exe[4424] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd6e03169a 4 bytes [03, 6E, FD, 7F] .text C:\Windows\system32\dwm.exe[4424] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd6e0316a2 4 bytes [03, 6E, FD, 7F] .text C:\Windows\system32\dwm.exe[4424] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd6e03181a 4 bytes [03, 6E, FD, 7F] .text C:\Windows\system32\dwm.exe[4424] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd6e031832 4 bytes [03, 6E, FD, 7F] .text C:\Windows\system32\nvvsvc.exe[4452] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd6e03169a 4 bytes [03, 6E, FD, 7F] .text C:\Windows\system32\nvvsvc.exe[4452] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd6e0316a2 4 bytes [03, 6E, FD, 7F] .text C:\Windows\system32\nvvsvc.exe[4452] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd6e03181a 4 bytes [03, 6E, FD, 7F] .text C:\Windows\system32\nvvsvc.exe[4452] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd6e031832 4 bytes [03, 6E, FD, 7F] .text C:\Windows\Explorer.EXE[1076] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd6e03169a 4 bytes [03, 6E, FD, 7F] .text C:\Windows\Explorer.EXE[1076] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd6e0316a2 4 bytes [03, 6E, FD, 7F] .text C:\Windows\Explorer.EXE[1076] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd6e03181a 4 bytes [03, 6E, FD, 7F] .text C:\Windows\Explorer.EXE[1076] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd6e031832 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\DellTPad\Apoint.exe[4040] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd6e03169a 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\DellTPad\Apoint.exe[4040] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd6e0316a2 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\DellTPad\Apoint.exe[4040] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd6e03181a 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\DellTPad\Apoint.exe[4040] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd6e031832 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\DellTPad\ApMsgFwd.exe[4672] C:\Windows\system32\PSAPI.dll!GetModuleBaseNameA + 506 00007ffd6e03169a 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\DellTPad\ApMsgFwd.exe[4672] C:\Windows\system32\PSAPI.dll!GetModuleBaseNameA + 514 00007ffd6e0316a2 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\DellTPad\ApMsgFwd.exe[4672] C:\Windows\system32\PSAPI.dll!QueryWorkingSet + 118 00007ffd6e03181a 4 bytes [03, 6E, FD, 7F] .text C:\Program Files\DellTPad\ApMsgFwd.exe[4672] C:\Windows\system32\PSAPI.dll!QueryWorkingSet + 142 00007ffd6e031832 4 bytes [03, 6E, FD, 7F] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [5720:6044] fffff960008d34d0 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [5156:5332] 00007ffd59b3bc60 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [5244:4188] 00007ffd58d9f5f8 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [5244:2028] 00007ffd59b3bc60 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance@ActiveShutdownDCL C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD024B0_00_07DA_56^8CBD21C2BEBA147124FAF3C6A3A75BCF@Timestamp 0xC6 0xDD 0x0C 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -390436465 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 11626 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c0cb38cd6d5f Reg HKLM\SYSTEM\CurrentControlSet\Services\HidUsb@DisplayName @input.inf,%HID.SvcDesc%;Microsoft HID Class Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\HidUsb@Owners input.inf? Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{158CDAFE-F24C-47DF-864B-0B4BF4FA9D66}@DefunctTimestamp 0x60 0xB4 0xAA 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-12-2a-c9-1b-81@AddressCreationTimestamp 0x89 0x45 0xBB 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\mouclass@Owners oem1.inf?termmou.inf?msmouse.inf? Reg HKLM\SYSTEM\CurrentControlSet\Services\mouhid@DisplayName @msmouse.inf,%MOUHID.SvcDesc%;Mouse HID Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\mouhid@Owners msmouse.inf? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 421 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 20 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1DEC7BE0-65FE-4D74-8528-E5B6D589BA1A}@LeaseObtainedTime 1420473477 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1DEC7BE0-65FE-4D74-8528-E5B6D589BA1A}@T1 1420516677 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1DEC7BE0-65FE-4D74-8528-E5B6D589BA1A}@T2 1420549077 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1DEC7BE0-65FE-4D74-8528-E5B6D589BA1A}@LeaseTerminatesTime 1420559877 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AA58ED58-01DD-4D91-8333-CF10577473F7}\iexplore@Count 9 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 63 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x34 0xB2 0x76 0x2C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x34 0xB2 0x76 0x2C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x34 0xB2 0x76 0x2C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 40 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x34 0xB2 0x76 0x2C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63556070516577%3bID%3d8D2FE4ABA6408F63!104%3bLR%3d63556072338277%3bEP%3d4%3bTD%3dTrue%3bSO%3d0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x6E 0x53 0xD8 0xAB ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 2 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastStoreActivity 0xCC 0x53 0x0B 0xB2 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0xAA 0x3D 0xC5 0xA5 ... ---- EOF - GMER 2.1 ----