GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-01 20:30:42 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: t69yg8fu.exe; Driver: C:\Users\ASIA\AppData\Local\Temp\pxldrpoc.sys ---- User code sections - GMER 2.1 ---- .reloc C:\Windows\system32\services.exe [560] section is executable [0x4A8, 0xA0000020] 0000000100052000 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1492] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000761a1465 2 bytes [1A, 76] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1492] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000761a14bb 2 bytes [1A, 76] .text ... * 2 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1176] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 000000007529d03c 4 bytes [C2, 04, 00, 00] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\services.exe [560:616] 00000000001a1e58 Thread C:\Windows\system32\services.exe [560:736] 00000000001d1808 Thread C:\Windows\system32\services.exe [560:744] 00000000004b4c70 Thread C:\Windows\system32\services.exe [560:800] 00000000004b4550 Thread C:\Windows\system32\services.exe [560:804] 00000000004b8ea0 ---- Processes - GMER 2.1 ---- Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\wininit.exe [488] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:21:39) 000007fefca80000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [828] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:21:39) 000007fefca80000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [876] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:21:39) 000007fefca80000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [996] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:21:39) 000007fefca80000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [1012] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:21:39) 000007fefca80000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\System32\spoolsv.exe [1240] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:21:39) 000007fefca80000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [1492] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:12:34) 000000006edc0000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1176] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:12:34) 000000006edc0000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [2136] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:21:39) 000007fefca80000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2360] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:21:39) 000007fefca80000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [3500] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:21:39) 000007fefca80000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Program Files\Windows Media Player\wmpnetwk.exe [3244] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2009-07-13 23:21:39) 000007fefca80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e839df200093 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xCA 0xCC 0x81 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7C 0xCD 0xD2 0xA4 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e839df200093 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xCA 0xCC 0x81 0xCE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7C 0xCD 0xD2 0xA4 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Program Files\Windows Defender\pl-PL\MpAsDesc.dll.mui 41472 bytes executable File C:\Program Files\Windows Defender\pl-PL\MpEvMsg.dll.mui 17920 bytes executable File C:\Program Files\Windows Defender\pl-PL\MsMpRes.dll.mui 53248 bytes executable File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B51774Y2\st[4] 4518 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\H5X87GW3.txt 407 bytes ---- EOF - GMER 2.1 ----