GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-29 20:08:05 Windows 6.2.9200 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP3T1L0-7 CT120BX100SSD1 rev.MU02 111,79GB Running: lk7ssp85.exe; Driver: C:\Users\mirdo\AppData\Local\Temp\uxldqpob.sys ---- Kernel code sections - GMER 2.2 ---- .text ntoskrnl.exe!ExfUnblockPushLock + 1547 8179D86D 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 622 817A2012 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\WINDOWS\system32\DRIVERS\atikmdag.sys section is writeable [0x91D71000, 0x2BFBF0, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\Explorer.EXE[3012] SHELL32.dll!SHPropStgWriteMultiple 75632740 8 Bytes [80, 11, 89, 64, C0, 11, 89, ...] .text C:\Program Files\CCleaner\CCleaner.exe[5812] USER32.dll!EnableScrollBar 775B6990 5 Bytes JMP 00459B88 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[5812] USER32.dll!GetScrollInfo 775C63D0 5 Bytes JMP 00459A98 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[5812] USER32.dll!SetScrollPos 775D55E0 5 Bytes JMP 00459A04 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[5812] USER32.dll!SetScrollRange 775D5630 5 Bytes JMP 00459B11 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[5812] USER32.dll!SetScrollInfo 775D56B0 5 Bytes JMP 00459B4E C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[5812] USER32.dll!GetScrollPos 775DABA0 5 Bytes JMP 00459A6D C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[5812] USER32.dll!GetScrollRange 775DB680 5 Bytes JMP 00459A2F C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[5812] USER32.dll!ShowScrollBar 775EA320 5 Bytes JMP 00459AD1 C:\Program Files\CCleaner\CCleaner.exe ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1707153720 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x41 0xCB 0x08 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x41 0x33 0xCD 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x41 0x63 0x44 0x4C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x79 0xB7 0x52 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\SystemProtected@DisableCAD 0 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@6B09D5F1 16 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2901545128-658209650-1889578544-1001@RefCount 3 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewClientID 8 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{BF18567D-0000-0000-0000-500600000000} 5281757440 ---- EOF - GMER 2.2 ----