GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-26 12:06:10 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 Hitachi_HTS545050A7E380 rev.GG2OA6C0 465,76GB Running: xsdy08kd.exe; Driver: C:\Users\axis\AppData\Local\Temp\fxriqaoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff960001c1100 7 bytes [40, 4F, 82, 01, 00, 51, F2] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 8 fffff960001c1108 7 bytes [01, 15, C0, FF, 00, 12, DB] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\csrss.exe[512] C:\WINDOWS\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\wininit.exe[556] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\csrss.exe[572] C:\WINDOWS\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\winlogon.exe[616] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\services.exe[656] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\lsass.exe[664] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[772] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[844] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\System32\svchost.exe[896] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[968] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\System32\svchost.exe[1016] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\dwm.exe[328] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1064] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\System32\spoolsv.exe[1408] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1468] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[1600] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe[1664] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1784] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1820] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\taskhostex.exe[2276] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\Explorer.EXE[2284] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\Explorer.EXE[2284] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fced5f1532 4 bytes [5F, ED, FC, 07] .text C:\WINDOWS\Explorer.EXE[2284] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fced5f153a 4 bytes [5F, ED, FC, 07] .text C:\WINDOWS\Explorer.EXE[2284] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fced5f165a 4 bytes [5F, ED, FC, 07] .text C:\WINDOWS\system32\SearchIndexer.exe[2112] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\Windows\System32\igfxtray.exe[1036] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\Windows\System32\hkcmd.exe[2380] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\Windows\System32\igfxpers.exe[2980] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\Windows\System32\igfxpers.exe[2980] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fcf583177a 4 bytes [83, F5, FC, 07] .text C:\Windows\System32\igfxpers.exe[2980] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fcf5831782 4 bytes [83, F5, FC, 07] .text C:\Program Files\iPod\bin\iPodService.exe[3140] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\taskhost.exe[652] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\WLANExt.exe[3716] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] .text C:\WINDOWS\system32\conhost.exe[4112] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fcf320f7eb 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [572:596] fffff960008d45e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1756476719 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 4712 ---- EOF - GMER 2.1 ----