GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-20 18:42:04 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b WDC_WD5000BPVT-22HXZT3 rev.01.01A01 465,76GB Running: jhnmqgsg.exe; Driver: C:\Users\Dariusz\AppData\Local\Temp\uglyiaow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\atiesrxx.exe[792] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb85af169a 4 bytes [AF, 85, FB, 7F] .text C:\Windows\system32\atiesrxx.exe[792] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb85af16a2 4 bytes [AF, 85, FB, 7F] .text C:\Windows\system32\atiesrxx.exe[792] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb85af181a 4 bytes [AF, 85, FB, 7F] .text C:\Windows\system32\atiesrxx.exe[792] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb85af1832 4 bytes [AF, 85, FB, 7F] .text C:\Windows\system32\atieclxx.exe[1020] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb85af169a 4 bytes [AF, 85, FB, 7F] .text C:\Windows\system32\atieclxx.exe[1020] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb85af16a2 4 bytes [AF, 85, FB, 7F] .text C:\Windows\system32\atieclxx.exe[1020] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb85af181a 4 bytes [AF, 85, FB, 7F] .text C:\Windows\system32\atieclxx.exe[1020] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb85af1832 4 bytes [AF, 85, FB, 7F] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [484:516] fffff96000839b90 ---- Processes - GMER 2.1 ---- Library C:\Program Files\WindowsApps\Microsoft.SkypeApp_3.1.0.1007_x86__kzf8qxf38zg5c\LibWrap.dll (*** suspicious ***) @ C:\Windows\syswow64\wwahost.exe [2400] (Microsoft Skype/Microsoft Corporation)(2015-03-18 20:00:23) 0000000070c60000 ---- Services - GMER 2.1 ---- Service System32\drivers\ylsr.sys (*** hidden *** ) [BOOT] rtgmrx <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xDE 0x43 0x92 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xEC 0x70 0x99 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x6E 0xF8 0x66 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x80 0x8B 0x0B 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-US 18 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMO11000_09_07D9_65^7C5B51B4D1A3124A0D6C4D020E28B7E6@Timestamp 0x68 0x0A 0x40 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration 69 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A47E2220-E4B1-4572-A5BD-CCCEB4B897E3}\Connection@Name Reusable ISATAP Interface {A47E2220-E4B1-4572-A5BD-CCCEB4B897E3} Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\Dariusz\Downloads\Unlocker1.9.2.exe??\??\C:\Windows\Update.exe??\??\C:\Users\Dariusz\AppData\Roaming\nvxasync\nvxasync.exe??\??\C:\ProgramData\nvxasync\com.apple.Safari.plist??\??\C:\ProgramData\nvxasync\klite.exe??\??\C:\ProgramData\nvxasync\nvxasync.exe??\??\C:\ProgramData\nvxasync\Prefaddon??\??\C:\ProgramData\nvxasync\Preferences??\??\C:\ProgramData\nvxasync\prefs.js??\??\C:\ProgramData\nvxasync\setting.dat??\??\C:\ProgramData\nvxasync\starter.xml??\??\C:\ProgramData\nvxasync\Web Data??\??\C:\Users\Dariusz\AppData\Roaming\nvxasync\com.apple.Safari.plist??\??\C:\Users\Dariusz\AppData\Roaming\nvxasync\klite.exe??\??\C:\Users\Dariusz\AppData\Roaming\nvxasync\Prefaddon??\??\C:\Users\Dariusz\AppData\Roaming\nvxasync\Preferences??\??\C:\Users\Dariusz\AppData\Roaming\nvxasync\prefs.js??\??\C:\Users\Dariusz\AppData\Roaming\nvxasync\setting.dat??\??\C:\Users\Dariusz\AppData\Roaming\nvxasync\starter.xml??\??\C:\Users\Dariusz\AppData\Roaming\nvxasync\Web Data??\??\C:\ProgramData\nvxasync??\??\C:\Users\ Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3899996 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1377930821 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 19 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 438046612 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 9734 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 2d1e085f-0217-424d-9127-6614341 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 9 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\amdsata\Parameters\Device-1@AmdSataCounter 13 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{08e618fc-f081-4087-97a5-fc60b06051fa}@LastProbeTime 1426870566 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{A47E2220-E4B1-4572-A5BD-CCCEB4B897E3}@InterfaceName Reusable ISATAP Interface {A47E2220-E4B1-4572-A5BD-CCCEB4B897E3} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{A47E2220-E4B1-4572-A5BD-CCCEB4B897E3}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\80-1f-02-ed-a0-f4@AddressCreationTimestamp 0x7A 0xD4 0x1C 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?mar ?20 ?15, 04:57:21??????y???????y???????????????y???? Reg HKLM\SYSTEM\CurrentControlSet\Services\rtgmrx Reg HKLM\SYSTEM\CurrentControlSet\Services\rtgmrx@ImagePath System32\drivers\ylsr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\rtgmrx@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\rtgmrx@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rtgmrx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rtgmrx@mdrg \??\C:\Windows\WinStore\ppok Reg HKLM\SYSTEM\CurrentControlSet\Services\rtgmrx@bgisst C:\Windows Reg HKLM\SYSTEM\CurrentControlSet\Services\rtgmrx@gqdsno 101862 Reg HKLM\SYSTEM\CurrentControlSet\Services\rtgmrx@Group System Reserved Reg HKLM\SYSTEM\CurrentControlSet\Services\rtgmrx Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 879 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 95 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 18 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{478E128A-EA42-45CD-AA6A-EC1F52CE0FC6}@LeaseObtainedTime 1426866966 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{478E128A-EA42-45CD-AA6A-EC1F52CE0FC6}@T1 1584546966 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{478E128A-EA42-45CD-AA6A-EC1F52CE0FC6}@T2 1702806966 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{478E128A-EA42-45CD-AA6A-EC1F52CE0FC6}@LeaseTerminatesTime 1742226966 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 17 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU@MRUList ba Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband@FavoritesChanges 10 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xAA 0xA6 0x53 0x8F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastStoreActivity 0xF9 0x4A 0x34 0xC7 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0x06 0xF7 0xC8 0xBE ... Reg HKCU\Software\Microsoft\Windows\Roaming\OpenWith\UrlAssociations\http\UserChoice@Hash sgVCuJyjosQ= Reg HKCU\Software\Microsoft\Windows\Roaming\OpenWith\UrlAssociations\http\UserChoice@ProgId IE.HTTP Reg HKCU\Software\Microsoft\Windows\Roaming\OpenWith\UrlAssociations\https\UserChoice@Hash lZ8MWmm5Mjs= Reg HKCU\Software\Microsoft\Windows\Roaming\OpenWith\UrlAssociations\https\UserChoice@ProgId IE.HTTPS Reg HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice@Hash sgVCuJyjosQ= Reg HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice@ProgId IE.HTTP Reg HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice@Hash lZ8MWmm5Mjs= Reg HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice@ProgId IE.HTTPS ---- EOF - GMER 2.1 ----