GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-07 01:26:07 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000063 PLEXTOR_ rev.1.04 119,24GB Running: ejqi8vkk.exe; Driver: C:\Windows\system32\config\SYSTEM~1\AppData\Local\Temp\uxriipow.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82054A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8208E212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7458249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74565652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74565710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7458251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7457857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74574D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745750D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745751AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [745766DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745782D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74578824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74579085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7457E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[948] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74574C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38f252e1 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38f252e1@0002022b8718 0x55 0x0F 0x96 0x3D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38f252e1@f05a0917b4a8 0xB2 0xB6 0x4F 0x83 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38f252e1@44d4e0298351 0x04 0xAE 0x2D 0xA1 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38f252e1 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@AC7C701D 158 ---- EOF - GMER 2.1 ----