GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-02 17:11:02 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003b HGST_HTS721010A9E630 rev.JB0OA3J0 931,51GB Running: 90qp1uej.exe; Driver: C:\Users\GABRIE~1\AppData\Local\Temp\pwldqpob.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\nvvsvc.exe[564] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaa1ef169a 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[564] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaa1ef16a2 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[564] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaa1ef181a 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[564] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaa1ef1832 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1412] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaa1ef169a 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1412] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaa1ef16a2 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1412] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaa1ef181a 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1412] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaa1ef1832 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1948] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaa1ef169a 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1948] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaa1ef16a2 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1948] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaa1ef181a 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1948] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaa1ef1832 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1948] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffa975c1f6a 4 bytes [5C, 97, FA, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1948] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffa975c1f82 4 bytes [5C, 97, FA, 7F] .text C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe[2208] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaa1ef169a 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe[2208] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaa1ef16a2 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe[2208] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaa1ef181a 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe[2208] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaa1ef1832 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2224] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaa1ef169a 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2224] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaa1ef16a2 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2224] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaa1ef181a 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2224] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaa1ef1832 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2316] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaa1ef169a 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2316] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaa1ef16a2 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2316] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaa1ef181a 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2316] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaa1ef1832 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\avast\ng\vbox\AvastVBoxSVC.exe[3340] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaa1ef169a 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\avast\ng\vbox\AvastVBoxSVC.exe[3340] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaa1ef16a2 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\avast\ng\vbox\AvastVBoxSVC.exe[3340] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaa1ef181a 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\avast\ng\vbox\AvastVBoxSVC.exe[3340] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaa1ef1832 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2836] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffaa1ef169a 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2836] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffaa1ef16a2 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2836] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffaa1ef181a 4 bytes [EF, A1, FA, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2836] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffaa1ef1832 4 bytes [EF, A1, FA, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7096] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffa975c1f6a 4 bytes [5C, 97, FA, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7096] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffa975c1f82 4 bytes [5C, 97, FA, 7F] ---- Devices - GMER 2.1 ---- Device \Driver\iaStorA \Device\RaidPort0 ffffe001c48152c0 Device \Driver\cdrom \Device\CdRom0 ffffe001c49c62c0 Device \Driver\iaStorA \Device\0000003b ffffe001c48152c0 Device \Driver\iaStorA \Device\ScsiPort0 ffffe001c48152c0 Device \Driver\iaStorA \Device\0000003a ffffe001c48152c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xffffe001c48152c0]<< sptd.sys storport.sys hal.dll iaStorA.sys ffffe001c48152c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe001c5df2060] ffffe001c5df2060 Trace 3 CLASSPNP.SYS[fffff801ea70dabb] -> nt!IofCallDriver -> [0xffffe001c4670e50] ffffe001c4670e50 Trace 5 ACPI.sys[fffff801e96ae7aa] -> nt!IofCallDriver -> \Device\0000003b[0xffffe001c4672060] ffffe001c4672060 Trace \Driver\iaStorA[0xffffe001c467bae0] -> IRP_MJ_CREATE -> 0xffffe001c48152c0 ffffe001c48152c0 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [784:808] fffff9600083bb90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x8C 0xC4 0x1E 0x9E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x46 0xAD 0xA5 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x4E 0xEC 0x25 0x9E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xBF 0x5D 0xB6 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 6 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SDC324C0_00_07DD_D1^3D784659200D6C3F0740E8E8928395C9@Timestamp 0x40 0x8B 0x5D 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 868 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\GABRIE~1\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\GABRIE~1\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\GABRIE~1\AppData\Local\Temp\nsr2F1A.tmp\ImgEngine.dll??\??\C:\Users\GABRIE~1\AppData\Local\Temp\nsr2F1A.tmp\??\??\C:\Users\GABRIE~1\AppData\Local\Temp\nsr2F1A.tmp\Lang\ENU.dll??\??\C:\Users\GABRIE~1\AppData\Local\Temp\nsr2F1A.tmp\Lang\PLK.dll??\??\C:\Users\GABRIE~1\AppData\Local\Temp\nsr2F1A.tmp\ImgEngine.dll??\??\C:\Users\GABRIE~1\AppData\Local\Temp\nsr2F1A.tmp\?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3899995 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 600023659 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 9 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 426399155 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 13305 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 8459 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 1b90acac-0ed4-469f-8362-bb7c8cf Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 9 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 11 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\303a64d3c204 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{041a8a1c-4638-4a0c-8189-1a5adffa63f8}@LastProbeTime 1414943571 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ImagePath \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@DisplayName MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances@DefaultInstance MBAMSwissArmy Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?N?, ?lis ?02 ?14, 03:54:35???????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 890 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 18 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-200|Desc=@%systemroot%\system32\provsvc.dll,-201|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|RPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-203|Desc=@%systemroot%\system32\provsvc.dll,-204|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|LPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-205|Desc=@%systemroot%\system32\provsvc.dll,-206|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AACA2A7C-AB8E-4FEA-93DF-1518518F050E}@LeaseObtainedTime 1414939957 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AACA2A7C-AB8E-4FEA-93DF-1518518F050E}@T1 1415242357 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AACA2A7C-AB8E-4FEA-93DF-1518518F050E}@T2 1415469157 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AACA2A7C-AB8E-4FEA-93DF-1518518F050E}@LeaseTerminatesTime 1415544757 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Grid@Logo100 %USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer\TileCacheLogo-230640_100.dat Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Grid@StartView100 %USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer\TileCacheStartView-236796_100.dat ---- EOF - GMER 2.1 ----