GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2017-04-10 20:49:51
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\0000003c SAMSUNG_MZNLN128HCGR-000L2 rev.EMT23L0Q 119,24GB
Running: zi0njlcb.exe; Driver: C:\WINDOWS\TEMP\kfeiqfow.sys


---- Modules - GMER 2.2 ----

Module   \??\C:\WINDOWS\System32\drivers:ucdrv-x64.sys                                                                                       fffff805529c0000-fffff805529cf000 (61440 bytes)

---- Threads - GMER 2.2 ----

Thread   C:\WINDOWS\system32\csrss.exe [720:772]                                                                                             ffff985e8a136c20
Thread   C:\WINDOWS\Explorer.EXE [5152:6940]                                                                                                 00007ff92cac20e0
Thread   C:\WINDOWS\Explorer.EXE [5152:4408]                                                                                                 00007ff92cac20e0
Thread   C:\WINDOWS\Explorer.EXE [5152:7260]                                                                                                 00007ff92cac20e0

---- Registry - GMER 2.2 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime                                                                   0xA6 0x3A 0xB4 0x3D ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime                                                               0xA3 0xA5 0xE6 0x61 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL                                                               25
Reg      HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD04A70_00_07DF_4F^15B987778A572E1ABB2E757E20FCF02D@Timestamp  0xEF 0xD9 0xD4 0xDA ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid                                                                                    852
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations                                                   ????03???????&???????\????N??4?????????D????{00000000-0000-0000-ffff-ffffffffffff}???????.??????????????????????????????????? 0??4???e??????????STORAGE\VolumeSnapshot????????N??4????????D?????{533c5b84-ec70-11d2-9505-00c04f79deaf}??????? ???4??????????????@volsnap.inf,%storage\volumesnapshot.devicedesc%;Generic volume shadow copy??-??????? ???4????????????????X??'???6???C????<??????0?g85???????????&???????4???e??Microsoft????????4??????10.0.14393.0?D???????4???c??10.0.14393.0?{???????4???3???h??volsnap.inf?8D????.??????????4??volsnap.inf?BC????@??????0???????????F???????,???e???????4???_??????2B???????&???????????2?????????????????????????????f#????????????4???d???????????????d???????????????d???????????r???d???????????6???d???????????n???d???-?-?8?8?8???????????4???d???4?8?8?8?????????????v???d???????F???4?F?F???????????????????d???????????????????4???????????????????D???d??????????????ly???4???????????????????o???d??????th???4???????????????????a???d???????????4???????????????????o???d???????????4?????????
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber                                                  2710512
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed                                                   -680862949
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId                                   26
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime                                 501259781
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime                                                                3693
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime                                                              3693
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID                                                                    541c2c65-dde6-44a4-a4f5-925033a
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId                                                                4
Reg      HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter                                                      2
Reg      HKLM\SYSTEM\CurrentControlSet\Services\acpipagr\Parameters\Wdf@TimeOfLastTelemetryLog                                               0xFF 0x38 0x4E 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName                                                              Global\MMF_BITSd24b6d51-d5d8-4fe6-9b46-2aad68617d78
Reg      HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a434d92fccd0                                                         
Reg      HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog                                           0xD1 0xFD 0x14 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{1bd48234-efee-405a-a086-88f8da4ebae1}@LastProbeTime               1491604940
Reg      HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog                                               0x35 0xAF 0x44 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\ibtusb\Parameters\Wdf@TimeOfLastTelemetryLog                                                 0xC4 0x7B 0xB9 0x61 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastTelemetryLog                                               0xFB 0xD5 0x2C 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{149DB607-EEB9-4960-8A86-A8DDD2DB5F99}@InterfaceName              Reusable ISATAP Interface {149DB607-EEB9-4960-8A86-A8DDD2DB5F99}
Reg      HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{149DB607-EEB9-4960-8A86-A8DDD2DB5F99}@ReusableType               2
Reg      HKLM\SYSTEM\CurrentControlSet\Services\MEIx64\Parameters\Wdf@TimeOfLastTelemetryLog                                                 0x25 0xE8 0x7D 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog                                               0x32 0x29 0x43 0x5E ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog                                         0xFF 0x38 0x4E 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch                                                                     2944
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch                                                                    300
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SmbDrvI\Parameters\Wdf@TimeOfLastTelemetryLog                                                0x3F 0xFD 0x33 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence                                                              24
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS                                                                3955
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters\Wdf@TimeOfLastTelemetryLog                                                  0xFB 0xD5 0x2C 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a199f71a-7cc4-4065-9eeb-d873e97584c9}@LeaseObtainedTime         1491843586
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a199f71a-7cc4-4065-9eeb-d873e97584c9}@T1                        1491886786
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a199f71a-7cc4-4065-9eeb-d873e97584c9}@T2                        1491919186
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a199f71a-7cc4-4065-9eeb-d873e97584c9}@LeaseTerminatesTime       1491929986
Reg      HKLM\SYSTEM\CurrentControlSet\Services\TPM@OsBootCount                                                                              42
Reg      HKLM\SYSTEM\CurrentControlSet\Services\TPM\Parameters\Wdf@TimeOfLastTelemetryLog                                                    0xCE 0x63 0x5D 0x5E ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog                                                  0xD1 0xFD 0x14 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog                                                0x2B 0xAF 0x8C 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog                                                0xCF 0xAE 0x25 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog                                               0xCE 0x63 0x5D 0x5E ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastTelemetryLog                                               0xF9 0x87 0x3D 0x5F ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated                                                 0x24 0xE2 0xD0 0x6C ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh                                                      0x24 0x4A 0x95 0xCE ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow                                                       0x24 0x7A 0x0C 0x0B ...
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop                                                    0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List                                                             15952 15958 15970 15980 15990 16010 16054 16064 16102 16108 16124
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter                                                            16130
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help                                                               16131
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter                                                           15952
Reg      HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help                                                              15953
Reg      HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw                                                                                  0x64 0x62 0x03 0x00 ...
Reg      HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask                                                                              0x64 0x62 0x03 0x00 ...
Reg      HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw                                                                                  0x64 0x62 0x03 0x00 ...
Reg      HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask                                                                              0x64 0x62 0x03 0x00 ...
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@LastAccessed                             0xDE 0x89 0x11 0x3C ...
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@AccelerateCacheRefreshLastDetected       0x44 0x76 0xFD 0x3B ...
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@AccelerateCacheRefreshLastHandled        0x1B 0xB2 0x18 0x3C ...
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@LastAccessed                             0x3A 0xC7 0x0C 0x3C ...
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@AccelerateCacheRefreshLastDetected       0x44 0x76 0xFD 0x3B ...
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@AccelerateCacheRefreshLastHandled        0xE2 0xB6 0x20 0x3C ...
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband@FavoritesChanges                                                   50
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\54ad3d19@NotificationsCount                                 2
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\565c76f8@NotificationsCount                                 2
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\5b0a1c5a@NotificationsCount                                 1
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\67df84d1@NotificationsCount                                 2
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\74c6ea4@NotificationsCount                                  3
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\8ed08a4@NotificationsCount                                  2
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\bedb5c97@NotificationsCount                                 2
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ec65e6ff@NotificationsCount                                 2
Reg      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime                                                 0x6D 0x46 0x2D 0xD5 ...

---- Disk sectors - GMER 2.2 ----

Disk     \Device\Harddisk0\DR0                                                                                                               unknown MBR code

---- Files - GMER 2.2 ----

ADS      C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys                                                                             50888 bytes executable
ADS      C:\Program Files (x86)\UCBrowser\Security:x64                                                                                       749456 bytes executable
ADS      C:\Program Files (x86)\UCBrowser\Security:x86                                                                                       611728 bytes executable
ADS      C:\Windows\System32\drivers:ucdrv-x64.sys                                                                                           50888 bytes executable                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <-- ROOTKIT !!!
ADS      C:\Windows\System32\drivers:x64                                                                                                     749456 bytes executable
ADS      C:\Windows\System32\drivers:x86                                                                                                     611728 bytes executable
ADS      C:\Windows.old\Windows\System32\drivers:ucdrv-x64.sys                                                                               47304 bytes executable
ADS      C:\Windows.old\Windows\System32\drivers:x64                                                                                         739728 bytes executable
ADS      C:\Windows.old\Windows\System32\drivers:x86                                                                                         602512 bytes executable

---- Services - GMER 2.2 ----

Service  C:\WINDOWS\System32\drivers:ucdrv-x64.sys                                                                                           [SYSTEM] ucdrv                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <-- ROOTKIT !!!

---- EOF - GMER 2.2 ----