GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-05 10:30:48 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC45 465,76GB Running: 9ct9xem4.exe; Driver: C:\Users\GRZEGO~1\AppData\Local\Temp\kfddqaoc.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:2108] 00000000011f653a Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:2540] 00000000738d01c7 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:2544] 00000000738d9ca3 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:2548] 00000000738d01c7 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:2992] 0000000072705fa0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:3728] 0000000071883d83 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:4772] 000000006ff4e718 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:4776] 000000006ff4e718 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:4780] 000000006ff4e718 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:4960] 000000006ca320b5 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:5016] 000000006ca320b5 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:5100] 000000006c2dfa97 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:5104] 000000006c2dfa97 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:5108] 000000006c36e622 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:3536] 000000006ca320b5 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:3900] 000000006ca320b5 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:7636] 0000000070ae1140 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:9068] 0000000072558420 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:8696] 000000006ca320b5 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:7216] 000000006ff4e718 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:7568] 000000006ff4e718 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:6704] 000000006ff4e718 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2104:7604] 000000006ff4e718 Thread C:\WINDOWS\system32\csrss.exe [3484:6344] fffffa2cd9d96c20 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\System32\qmgr.dll (*** hidden *** ) [MANUAL] BITS <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\GRZEGO~1\AppData\Local\Temp\nsdE763.tmp\nsProcess.dll??\??\C:\Users\GRZEGO~1\AppData\Local\Temp\nsdE763.tmp\?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -70024482 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\KLIF\Parameters@CheckVersion 18 Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\13@Timestamp 0x1F 0xC7 0x67 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{343a5120-dc9b-4b3c-bea3-990830fdc54d}@LeaseObtainedTime 1475652443 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{343a5120-dc9b-4b3c-bea3-990830fdc54d}@T1 1475654243 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{343a5120-dc9b-4b3c-bea3-990830fdc54d}@T2 1475655593 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{343a5120-dc9b-4b3c-bea3-990830fdc54d}@LeaseTerminatesTime 1475656043 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x57 0xD0 0x53 0xAB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x57 0x38 0x18 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x57 0x68 0x8F 0x49 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ForegroundColorInactive -6710887 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonBackgroundColor -2656256 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonForegroundColor -1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonHoverBackgroundColor -2456295 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonHoverForegroundColor -1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonPressedBackgroundColor -2125005 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonPressedForegroundColor -1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonBackgroundColorInactive -1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonForegroundColorInactive -6710887 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{5CE5CCF6-73DC-40D4-BD89-F13087BE8373}@LastAccessedTime 0xC0 0xCF 0x73 0x99 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{5CE5CCF6-73DC-40D4-BD89-F13087BE8373}@LaunchCount 2 Reg HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice@Hash QoeMWBfW9ds= ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----