GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-21 19:39:25 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000027 Samsung_SSD_840_EVO_120GB rev.EXT0BB6Q 111,79GB Running: gmer.exe; Driver: C:\Users\petik1\AppData\Local\Temp\uxldapod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000177600 15 bytes [00, F8, 09, 02, 80, 32, 72, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff96000177610 11 bytes [00, BC, FB, FF, 00, 77, B2, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[584] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\winlogon.exe[652] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\services.exe[684] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\lsass.exe[692] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\svchost.exe[796] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\dwm.exe[896] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff90b0d169a 4 bytes [0D, 0B, F9, 7F] .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff90b0d16a2 4 bytes [0D, 0B, F9, 7F] .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff90b0d181a 4 bytes [0D, 0B, F9, 7F] .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff90b0d1832 4 bytes [0D, 0B, F9, 7F] .text C:\Windows\System32\svchost.exe[972] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff90b0d169a 4 bytes [0D, 0B, F9, 7F] .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff90b0d16a2 4 bytes [0D, 0B, F9, 7F] .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff90b0d181a 4 bytes [0D, 0B, F9, 7F] .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff90b0d1832 4 bytes [0D, 0B, F9, 7F] .text C:\Windows\System32\svchost.exe[1108] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\svchost.exe[1276] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1680] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\svchost.exe[1720] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\svchost.exe[2480] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\System32\svchost.exe[2624] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\System32\WUDFHost.exe[2640] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\taskhostex.exe[2892] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\Explorer.EXE[2984] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3312] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3764] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[4092] C:\Windows\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\System32\M-AudioTaskBarIcon.exe[3448] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\DllHost.exe[2924] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[3864] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[1120] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ff90b15553d 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [592:8016] fffff96000935b90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\GSM5838201NDBP3G053_01_07DC_CA^AD2AA867CDDF5D388563380670B1FB28@Timestamp 0x55 0x5C 0x6D 0xF8 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???H????????????????????????????????????????:\???????????e?????epp??avast! Revert???? ???????????????????H????$??? ?>??? ???????????? >?????????????????? d??????n?????????????????????????r????????????????????????????????? ???????????????????????????? ????? ???????6???????????????Reverted???????????????????????????????????t???????????????????t?????????????????????????????????????????????????s??MoveFile("\??\c:\program files\avast software\avast\ashbase.dll.1408389417406","\??\c:\program files\avast software\avast\ashbase.dll",TRUE)?MoveFile("\??\c:\program files\avast software\avast\ashbase.dll.sum.1408389417406","\??\c:\program files\avast software\avast\ashbase.dll.sum",TRUE)?MoveFile("\??\c:\program files\avast software\avast\ashmaisv.dll.1408389417406","\??\c:\program files\avast software\avast\ashmaisv.dll",TRUE)?MoveFile("\??\c:\program files\avast software\avast\ashmaisv.dll.sum.1408389417406","\??\c:\program files\avast software\avast\ashmaisv.dll.sum",TRUE)?MoveFile("\??\c:\program files\avast softwa Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1927875766 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A8BAB0B7-051A-4A19-B2DE-749A0A3D6FA0}@LeaseObtainedTime 1411316129 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A8BAB0B7-051A-4A19-B2DE-749A0A3D6FA0}@T1 1411317929 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A8BAB0B7-051A-4A19-B2DE-749A0A3D6FA0}@T2 1411318829 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A8BAB0B7-051A-4A19-B2DE-749A0A3D6FA0}@LeaseTerminatesTime 1411319729 ---- Files - GMER 2.1 ---- File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002cc5 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002cc6 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002b1b 1679372 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002b1a 321134 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002ca7 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002ca8 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002cdb 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0027a5 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007122.bak 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007122.ldb 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007124.bak 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007124.ldb 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007135.bak 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007135.ldb 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007138.bak 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007138.ldb 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007141.bak 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007141.ldb 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\007142.log 0 bytes File C:\Users\petik1\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.pl_0.indexeddb.leveldb\MANIFEST-007140 0 bytes ---- EOF - GMER 2.1 ----