GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-12 21:33:31 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000024 ST31000528AS rev.HP35 931.51GB Running: jennkv71.exe; Driver: C:\Users\Daniel\AppData\Local\Temp\pxldypoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\atiesrxx.exe[904] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffeacab169a 4 bytes [AB, AC, FE, 7F] .text C:\Windows\system32\atiesrxx.exe[904] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffeacab16a2 4 bytes [AB, AC, FE, 7F] .text C:\Windows\system32\atiesrxx.exe[904] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffeacab181a 4 bytes [AB, AC, FE, 7F] .text C:\Windows\system32\atiesrxx.exe[904] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffeacab1832 4 bytes [AB, AC, FE, 7F] .text C:\Windows\system32\atieclxx.exe[532] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffeacab169a 4 bytes [AB, AC, FE, 7F] .text C:\Windows\system32\atieclxx.exe[532] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffeacab16a2 4 bytes [AB, AC, FE, 7F] .text C:\Windows\system32\atieclxx.exe[532] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffeacab181a 4 bytes [AB, AC, FE, 7F] .text C:\Windows\system32\atieclxx.exe[532] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffeacab1832 4 bytes [AB, AC, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffeacab169a 4 bytes [AB, AC, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffeacab16a2 4 bytes [AB, AC, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffeacab181a 4 bytes [AB, AC, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffeacab1832 4 bytes [AB, AC, FE, 7F] .text C:\Windows\System32\svchost.exe[1764] c:\windows\system32\WSOCK32.dll!setsockopt + 194 00007ffea2f61f6a 4 bytes [F6, A2, FE, 7F] .text C:\Windows\System32\svchost.exe[1764] c:\windows\system32\WSOCK32.dll!setsockopt + 218 00007ffea2f61f82 4 bytes [F6, A2, FE, 7F] .text C:\Windows\System32\svchost.exe[1804] c:\windows\system32\WSOCK32.dll!setsockopt + 194 00007ffea2f61f6a 4 bytes [F6, A2, FE, 7F] .text C:\Windows\System32\svchost.exe[1804] c:\windows\system32\WSOCK32.dll!setsockopt + 218 00007ffea2f61f82 4 bytes [F6, A2, FE, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5328] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffea2f61f6a 4 bytes [F6, A2, FE, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5328] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffea2f61f82 4 bytes [F6, A2, FE, 7F] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE[USER32.dll!GetWindowBand] [6c00b4b0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE[USER32.dll!TileWindows] [6c00b450] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE[USER32.dll!CascadeWindows] [6c00b3f0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE[USER32.dll!PeekMessageW] [6c025f80] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE[dwmapi.dll!DwmEnableBlurBehindWindow] [6c023ab0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\Explorer.EXE[dwmapi.dll!DwmSetWindowAttribute] [6c00b1a0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\SYSTEM32\twinui.dll[USER32.dll!GetSystemMetrics] [6c009ed0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\SYSTEM32\twinui.dll[USER32.dll!PostMessageW] [6c024720] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\SYSTEM32\twinui.dll[USER32.dll!TrackPopupMenu] [6c024a00] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\SYSTEM32\twinui.dll[USER32.dll!SetCursorPos] [6c024ba0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[3656] @ C:\Windows\SYSTEM32\twinui.dll[dwmapi.dll!DwmSetWindowAttribute] [6c024bf0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [564:4092] fffff96000844b90 Thread C:\Windows\System32\SettingSyncHost.exe [1248:4180] 00007ffea0bd4b30 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE5 0x74 0x1C 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xE0 0x68 0x0E 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xAE 0x9D 0x23 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xBA 0xF9 0x16 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 94 Reg HKLM\SYSTEM\CurrentControlSet\Control\CrashControl@LastCrashTime 0x2A 0x54 0x7A 0xA6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\HWP2913CNC019RM73_13_07DA_5F^9F72D55E976DCAF90B1590E4684D15D0@Timestamp 0xB4 0x00 0x36 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 648 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1479822143 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 72b4f230-b379-424d-a8a4-0412275 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{c6bc130d-017d-4ec3-a924-23a96fc808f3} Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{feb4364b-e285-483e-9ace-a318e0676d6a}@LastProbeTime 1423772629 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\7c-4c-a5-6b-5f-e4@AddressCreationTimestamp 0x46 0xA0 0xED 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\7c-4c-a5-6b-5f-e4@UPnPState 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\7c-4c-a5-6b-5f-e4@ClientLocalPort 54984 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\7c-4c-a5-6b-5f-e4@TeredoAddress 2001:0:9d38:6ab8:30d8:2937:fd86:4d0e Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Thu?, ?Feb ?12 ?15, 08:29:05 PM??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 7620 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2838 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 95 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C99C1C33-AC25-43E3-8E32-994A78C329C6}@LeaseObtainedTime 1423772620 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C99C1C33-AC25-43E3-8E32-994A78C329C6}@T1 1423815820 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C99C1C33-AC25-43E3-8E32-994A78C329C6}@T2 1423848220 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C99C1C33-AC25-43E3-8E32-994A78C329C6}@LeaseTerminatesTime 1423859020 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Grid@Logo100 %USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer\TileCacheLogo-524373828_100.dat Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x91 0x6E 0x25 0x35 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x91 0x6E 0x25 0x35 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x91 0x6E 0x25 0x35 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x91 0x6E 0x25 0x35 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@BackupDeviceRootSyncToken LM%3d63558842307353%3bID%3d90F9A3780A13F73A!224%3bLR%3d63559190317680%3bEP%3d4%3bTD%3dTrue%3bSO%3d4 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Namespace\Windows\AppSync@BackupState 2 ---- EOF - GMER 2.1 ----