GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-05 23:59:06 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0002 465,76GB Running: p2tyhyvv.exe; Driver: C:\Users\MI\AppData\Local\Temp\fwdyikob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [632:664] ffff951922136c20 Thread C:\WINDOWS\system32\svchost.exe [528:3240] 0000017393650d3c Thread C:\WINDOWS\system32\svchost.exe [528:3256] 0000017393690e4c Thread C:\WINDOWS\system32\svchost.exe [528:3384] 00000173936d0d3c Thread C:\WINDOWS\system32\svchost.exe [528:3396] 0000017393650d3c Thread C:\WINDOWS\system32\svchost.exe [528:3416] 0000017393f115cc Thread C:\WINDOWS\system32\svchost.exe [528:3420] 0000017393690e4c Thread C:\WINDOWS\system32\svchost.exe [528:3424] 00000173936d0d3c Thread C:\WINDOWS\system32\svchost.exe [528:3436] 00000173927e0c8c Thread C:\WINDOWS\system32\svchost.exe [528:3440] 0000017393650d3c Thread C:\WINDOWS\system32\svchost.exe [528:3444] 0000017392830c8c Thread C:\WINDOWS\system32\svchost.exe [528:3448] 0000017393f115cc Thread C:\WINDOWS\system32\svchost.exe [528:3460] 0000017393690e4c Thread C:\WINDOWS\system32\svchost.exe [528:3464] 00000173936d0d3c Thread C:\WINDOWS\system32\svchost.exe [528:3524] 0000017393647378 Thread C:\WINDOWS\system32\svchost.exe [528:3528] 0000017393647378 Thread C:\WINDOWS\system32\svchost.exe [528:3536] 0000017393687378 Thread C:\WINDOWS\system32\svchost.exe [528:3532] 00000173936c7378 Thread C:\WINDOWS\system32\svchost.exe [528:3544] 0000017393687378 Thread C:\WINDOWS\system32\svchost.exe [528:3540] 00000173936c7378 Thread C:\WINDOWS\system32\svchost.exe [528:3616] 00000173927e0c8c Thread C:\WINDOWS\system32\svchost.exe [528:3620] 0000017392830c8c Thread C:\WINDOWS\system32\svchost.exe [528:3624] 0000017393f115cc Thread C:\WINDOWS\system32\svchost.exe [528:3632] 0000017393f07378 Thread C:\WINDOWS\system32\svchost.exe [528:3636] 0000017393f07378 Thread C:\WINDOWS\system32\svchost.exe [528:3748] 00000173927d7378 Thread C:\WINDOWS\system32\svchost.exe [528:3744] 0000017392827378 Thread C:\WINDOWS\system32\svchost.exe [528:3752] 00000173927d7378 Thread C:\WINDOWS\system32\svchost.exe [528:3756] 0000017392827378 Thread C:\WINDOWS\system32\svchost.exe [528:3788] 00000173927e0c8c Thread C:\WINDOWS\system32\svchost.exe [528:3792] 0000017392830c8c Thread C:\WINDOWS\SysWOW64\svchost.exe [3964:2140] 0000000003642acf Thread C:\WINDOWS\SysWOW64\svchost.exe [3964:2056] 0000000003642acf Thread C:\WINDOWS\SysWOW64\svchost.exe [3964:804] 0000000003642acf Thread C:\WINDOWS\SysWOW64\svchost.exe [3964:4952] 0000000003642acf Thread C:\WINDOWS\SysWOW64\svchost.exe [3964:1584] 0000000003642acf Thread C:\WINDOWS\SysWOW64\svchost.exe [2864:3900] 000000000319100e Thread C:\WINDOWS\SysWOW64\svchost.exe [2864:3896] 000000000319100e Thread C:\WINDOWS\SysWOW64\svchost.exe [2864:3480] 000000000319100e Thread C:\WINDOWS\SysWOW64\svchost.exe [2864:1620] 000000000319100e Thread C:\WINDOWS\SysWOW64\svchost.exe [2864:320] 000000000319100e ---- Services - GMER 2.2 ---- Service C:\WINDOWS\System32\qmgr.dll (*** hidden *** ) [MANUAL] BITS <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 980214135 Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\9@Timestamp 0xBB 0xA4 0x50 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xDA 0xC3 0xB4 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xDA 0x2B 0x79 0xB3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xDA 0x5B 0xF0 0xEF ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe 0x58 0x95 0x20 0xAB ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{350E5114-775F-4C54-BB17-ECFFB4A43A7A}@LastAccessedTime 0x50 0x62 0x9C 0x94 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{350E5114-775F-4C54-BB17-ECFFB4A43A7A}@LaunchCount 4 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{B06D61C5-4246-4A82-90E4-3C3522CB6929}@LastAccessedTime 0xA0 0x3C 0x99 0xD6 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{B06D61C5-4246-4A82-90E4-3C3522CB6929}@LaunchCount 9 ---- Files - GMER 2.2 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 2.2 ----