GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-24 14:28:06 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 rev. 0.00MB Running: rn6l0pw8.exe; Driver: C:\Users\Cepek\AppData\Local\Temp\uxldqpow.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [648:4400] ffffc91895536c20 Thread C:\WINDOWS\system32\svchost.exe [1432:3140] 0000023d91e50d3c Thread C:\WINDOWS\system32\svchost.exe [1432:3144] 0000023d91e50d3c Thread C:\WINDOWS\system32\svchost.exe [1432:3148] 0000023d91e50d3c Thread C:\WINDOWS\system32\svchost.exe [1432:3456] 0000023d91e47378 Thread C:\WINDOWS\system32\svchost.exe [1432:3460] 0000023d91e47378 Thread C:\WINDOWS\system32\svchost.exe [1432:3980] 0000023d91fc0d3c Thread C:\WINDOWS\system32\svchost.exe [1432:3984] 0000023d926115cc Thread C:\WINDOWS\system32\svchost.exe [1432:4020] 0000023d91fc0d3c Thread C:\WINDOWS\system32\svchost.exe [1432:4024] 0000023d926115cc Thread C:\WINDOWS\system32\svchost.exe [1432:4028] 0000023d92660c8c Thread C:\WINDOWS\system32\svchost.exe [1432:4032] 0000023d926a0c8c Thread C:\WINDOWS\system32\svchost.exe [1432:4040] 0000023d91fc0d3c Thread C:\WINDOWS\system32\svchost.exe [1432:4044] 0000023d926115cc Thread C:\WINDOWS\system32\svchost.exe [1432:4048] 0000023d92660c8c Thread C:\WINDOWS\system32\svchost.exe [1432:4052] 0000023d926a0c8c Thread C:\WINDOWS\system32\svchost.exe [1432:4088] 0000023d92660c8c Thread C:\WINDOWS\system32\svchost.exe [1432:4092] 0000023d926a0c8c Thread C:\WINDOWS\system32\svchost.exe [1432:2848] 0000023d91fb7378 Thread C:\WINDOWS\system32\svchost.exe [1432:3536] 0000023d92607378 Thread C:\WINDOWS\system32\svchost.exe [1432:3416] 0000023d91fb7378 Thread C:\WINDOWS\system32\svchost.exe [1432:3880] 0000023d92607378 Thread C:\WINDOWS\system32\svchost.exe [1432:3832] 0000023d92657378 Thread C:\WINDOWS\system32\svchost.exe [1432:3260] 0000023d92697378 Thread C:\WINDOWS\system32\svchost.exe [1432:3560] 0000023d92657378 Thread C:\WINDOWS\system32\svchost.exe [1432:3240] 0000023d92697378 Thread C:\WINDOWS\system32\svchost.exe [1432:3676] 0000023d926115cc Thread C:\WINDOWS\system32\svchost.exe [1432:4496] 0000023d91ed0e4c Thread C:\WINDOWS\system32\svchost.exe [1432:4500] 0000023d91ed0e4c Thread C:\WINDOWS\system32\svchost.exe [1432:4504] 0000023d91ed0e4c Thread C:\WINDOWS\system32\svchost.exe [1432:4544] 0000023d91ec7378 Thread C:\WINDOWS\system32\svchost.exe [1432:4548] 0000023d91ec7378 Thread C:\WINDOWS\system32\backgroundTaskHost.exe [8840:6348] 00007ff845f90440 Thread C:\WINDOWS\system32\backgroundTaskHost.exe [8840:5804] 00007ff83d3048e0 Thread C:\WINDOWS\system32\backgroundTaskHost.exe [8840:10176] 00007ff8450ca5e0 ---- Processes - GMER 2.2 ---- Library C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Delta.exe (*** suspicious ***) @ C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Delta.exe [8788] 00007ff63bcf0000 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] CDPUserSvc_68f97 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_68f97 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_68f97 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_68f97 <-- ROOTKIT !!! Service system32\Drivers\PsBoot.sys (*** hidden *** ) [DISABLED] PsBoot <-- ROOTKIT !!! Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_68f97 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_68f97 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] WpnUserService_68f97 <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -272591910 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xE3 0x56 0x3F 0xE9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xE3 0xBE 0x03 0x4B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xE3 0xEE 0x7A 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend@FailureCommand C:\WINDOWS\system32\mrt.exe /EHB /ServiceFailure "CAMP=4.10.14393.1198;approximate-> Engine=1.1.13704.0;AVSIG=1.243.653.0;ASSIG=1.243.653.0" /StartService /Defender /q Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0xE6 0x6A 0xE1 0xFB ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@01 0x00 0x30 0xC2 0xE3 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@07 0x00 0x70 0xB7 0x4D ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@09 0x00 0x30 0x17 0xF2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@10 0x00 0x20 0x0D 0x16 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@16 0x00 0x20 0xC8 0x7E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@18 0x00 0xF0 0x2D 0xC2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@22 0x00 0x10 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@24 0x00 0x10 0x00 0x10 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@26 0x00 0xF0 0x53 0xCC ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@27 0x00 0xF0 0x1D 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@28 0x00 0x90 0x85 0x17 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@29 0x00 0x80 0xE0 0x02 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2057-442D-DF26-08C5CAAE1200}@00 0x00 0x40 0xA0 0xA5 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.2 ----