GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-18 20:47:39 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000064 Hitachi_ rev.PB3O 298,09GB Running: zp42yxd4.exe; Driver: C:\Users\Witek\AppData\Local\Temp\axldakog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076331465 2 bytes [33, 76] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763314bb 2 bytes [33, 76] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076331465 2 bytes [33, 76] .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763314bb 2 bytes [33, 76] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076331465 2 bytes [33, 76] .text C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe[1916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763314bb 2 bytes [33, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076331465 2 bytes [33, 76] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[2052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763314bb 2 bytes [33, 76] .text ... * 2 .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076331465 2 bytes [33, 76] .text C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763314bb 2 bytes [33, 76] .text ... * 2 .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076331465 2 bytes [33, 76] .text C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe[2276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763314bb 2 bytes [33, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [2424] entry point in ".rdata" section 000000006f6e71e6 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076331465 2 bytes [33, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763314bb 2 bytes [33, 76] .text ... * 2 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[5196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076331465 2 bytes [33, 76] .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[5196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763314bb 2 bytes [33, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[4736] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [10002350] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[4736] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [10003450] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[4736] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [100011e0] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x64\psdprotect.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3532:4960] 000007fefa5b2a7c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{42C10A36-3D6B-4384-A43C-8BC6FC3C1DD1}\Connection@Name isatap.{5371B326-6FA6-49EA-836A-79E0393A25D7} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{42C10A36-3D6B-4384-A43C-8BC6FC3C1DD1}?\Device\{D27FC069-98C0-4539-8EE1-806F4ABCB1A8}?\Device\{82BBCE8D-DA24-41DF-B571-00B89F6B8496}?\Device\{B4B67F57-EEA2-439F-88CB-ABC99A72587A}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{42C10A36-3D6B-4384-A43C-8BC6FC3C1DD1}"?"{D27FC069-98C0-4539-8EE1-806F4ABCB1A8}"?"{82BBCE8D-DA24-41DF-B571-00B89F6B8496}"?"{B4B67F57-EEA2-439F-88CB-ABC99A72587A}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{42C10A36-3D6B-4384-A43C-8BC6FC3C1DD1}?\Device\TCPIP6TUNNEL_{D27FC069-98C0-4539-8EE1-806F4ABCB1A8}?\Device\TCPIP6TUNNEL_{82BBCE8D-DA24-41DF-B571-00B89F6B8496}?\Device\TCPIP6TUNNEL_{B4B67F57-EEA2-439F-88CB-ABC99A72587A}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{42C10A36-3D6B-4384-A43C-8BC6FC3C1DD1}@InterfaceName isatap.{5371B326-6FA6-49EA-836A-79E0393A25D7} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{42C10A36-3D6B-4384-A43C-8BC6FC3C1DD1}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 8394 ---- Files - GMER 2.1 ---- File C:\Users\Witek\AppData\Local\Temp\~DF20C1F293AB0E739A.TMP 512 bytes File C:\Users\Witek\AppData\Local\Temp\~DF46ED6F05D68654CC.TMP 16384 bytes ---- EOF - GMER 2.1 ----