GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-29 22:50:37 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001f ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: 8tizqw9y.exe; Driver: C:\Users\MMAZU_~1\AppData\Local\Temp\kgldiaoc.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000070a00 15 bytes [00, 31, EF, 01, 00, 36, 6A, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000070a10 11 bytes [00, E4, FB, FF, C0, 4B, E6, ...] ---- Devices - GMER 2.2 ---- Device \Driver\NDProxy \Device\NDProxy fffff80036615920 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [796:820] fffff960008c92d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xB6 0x8A 0x1D 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x1E 0x9C 0x10 0xF5 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-US 219 Reg HKLM\SYSTEM\CurrentControlSet\Control\CrashControl@LastCrashTime 0xB4 0xC8 0x73 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN17280_0F_07DC_15^AF85B96C3E31AAC9C5C695E305D53DA8@Timestamp 0xA8 0x82 0x1E 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 880 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\f693fb01-e858-4f00-b20f-f30e12ac06d6\191f65b5-d45c-4a4f-8aae-1ab8bfd980e6@Attributes 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1523399054 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 0512df0a-2360-4c93-b182-f0f1c4e Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{81bdbbd6-d087-44cb-ae7f-6918737d2d88} Reg HKLM\SYSTEM\CurrentControlSet\Services\AmdPPM\Parameters\Wdf@TimeOfLastSqmLog 0x43 0x9D 0xED 0xB4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\aswStm\Parameters\Wdf@TimeOfLastSqmLog 0x6E 0x6D 0x1B 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\543530c5a420 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\543530c5a420@58a2b5099240 0x58 0x2F 0xBE 0x8E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\543530c5a420@30220003c12b 0x43 0x2D 0xE3 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastSqmLog 0xDF 0x7F 0x39 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastSqmLog 0x43 0x9D 0xED 0xB4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\DellRbtn\Parameters\Wdf@TimeOfLastSqmLog 0x17 0x9A 0x5F 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{de66f024-812f-4fc7-9915-6f22943816e1}@LastProbeTime 1464438308 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastSqmLog 0x0F 0x15 0x03 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\huawei_enumerator\Parameters\Wdf@TimeOfLastSqmLog 0x46 0xF1 0x68 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastSqmLog 0x46 0xF1 0x68 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PEAUTH\Parameters\Wdf@TimeOfLastSqmLog 0xE7 0xF6 0x35 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?So?, ?maj ?28 ?16, 12:37:51??????P???????P???????????????P???? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 18921 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 4975 Reg HKLM\SYSTEM\CurrentControlSet\Services\SmbDrv\Parameters\Wdf@TimeOfLastSqmLog 0x17 0x9A 0x5F 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 218 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1757 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters\Wdf@TimeOfLastSqmLog 0x0F 0x4C 0x54 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98F77A31-5081-4919-A7CB-0C1B21F3D3B7}@LeaseObtainedTime 1464535795 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98F77A31-5081-4919-A7CB-0C1B21F3D3B7}@T1 1464539395 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98F77A31-5081-4919-A7CB-0C1B21F3D3B7}@T2 1464542095 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98F77A31-5081-4919-A7CB-0C1B21F3D3B7}@LeaseTerminatesTime 1464542995 Reg HKLM\SYSTEM\CurrentControlSet\Services\UCX01000\Parameters\Wdf@TimeOfLastSqmLog 0x28 0xC5 0xF1 0xAA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastSqmLog 0x43 0x9D 0xED 0xB4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastSqmLog 0xA0 0x6D 0x4C 0xB6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastSqmLog 0x53 0x8B 0x21 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastSqmLog 0x86 0x71 0x13 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters\Wdf@TimeOfLastSqmLog 0xD6 0x15 0xCE 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0x74 0x7F 0xF0 0x01 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Users\mmazu_000\AppData\Local\Mozilla\Firefox\Profiles\y95my363.default\cache2\entries\868086CFA08AD3DEAC4650DA811A29D85115C1E8 0 bytes File C:\Windows\Temp\WAX4A8.tmp (size mismatch) 2138112/0 bytes executable ---- EOF - GMER 2.2 ----