GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-18 15:10:26 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000032 ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: 5w10ywvz.exe; Driver: C:\Users\GLOBAL~1\AppData\Local\Temp\pxldqpod.sys ---- Devices - GMER 2.2 ---- Device \Driver\RegFilter \Device\RegFilter fffff80516e81324 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [832:916] fffff14a1d336c20 ---- Services - GMER 2.2 ---- Service C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys (*** hidden *** ) [DISABLED] ISODrive <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x52 0xC0 0xA8 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x9F 0x3B 0xC5 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 5 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO46EC0_04_07DF_53^3966F87BC3B3DA07E52BF2DA875776C9@Timestamp 0x12 0xA2 0x7E 0xB1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 748 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Program Files\AVAST Software\Avast\setup??\??\C:\Program Files\AVAST Software\Avast??\??\C:\Program Files\AVAST Software??\??\C:\Program Files??\??\C:\WINDOWS\SysWOW64??\??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Program Files\AVAST Software\Avast\setup??\??\C:\Program Files\AVAST Software\Avast??\??\C:\Program Files\AVAST Software??\??\C:\Program Files??\??\C:\WINDOWS\SysWOW64??\??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Program Files\AVAST Software\Avast\setup??\??\C:\Program Files\AVAST Software\Avast??\??\C:\Program Files\AVAST Software??\??\C:\Program Files??\??\C:\WINDOWS\SysWOW64??\??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Program Files\AVAST Software\Avast\setup??\??\C:\Program Files\AVAST Software\Avast??\??\C:\Program Files\AVAST Software??\??\C: Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710492 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -2107711800 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 6 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 486621414 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 3251 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID f4bfa51e-44c8-42c0-9168-a629c57 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\acpipagr\Parameters\Wdf@TimeOfLastTelemetryLog 0x64 0x68 0xB7 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS7a696c84-2eaf-4e36-a985-9d9a12585a5c Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BthHFEnum\Parameters\Wdf@TimeOfLastTelemetryLog 0x28 0x84 0xB8 0xB3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\bthhfhid\Parameters\Wdf@TimeOfLastTelemetryLog 0x5F 0x46 0xF4 0xB3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BthLEEnum\Parameters\Wdf@TimeOfLastTelemetryLog 0xF5 0xAB 0x73 0x94 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\80a58986fa4e Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\80a58986fa4e@b6be2b296e09 0xE3 0xD9 0xF4 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0x7C 0x7C 0xAB 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x04 0x07 0x96 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{3bcc137c-e0ba-4311-9429-23fe2e376da1}@LastProbeTime 1476614815 Reg HKLM\SYSTEM\CurrentControlSet\Services\dptf_cpu\Parameters\Wdf@TimeOfLastTelemetryLog 0x15 0xF3 0xA1 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\dptf_pch\Parameters\Wdf@TimeOfLastTelemetryLog 0x64 0x68 0xB7 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\esif_lf\Parameters\Wdf@TimeOfLastTelemetryLog 0x2A 0x07 0x17 0xBC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x13 0x1A 0xA9 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastTelemetryLog 0x13 0x1A 0xA9 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{16CCFA0C-315C-4D7A-909B-161BA7A7033C} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{16CCFA0C-315C-4D7A-909B-161BA7A7033C}@InterfaceName Reusable ISATAP Interface {16CCFA0C-315C-4D7A-909B-161BA7A7033C} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{16CCFA0C-315C-4D7A-909B-161BA7A7033C}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{16CCFA0C-315C-4D7A-909B-161BA7A7033C}@DeviceInstancePath SWD\IP_TUNNEL_VBUS\ISATAP_1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{16CCFA0C-315C-4D7A-909B-161BA7A7033C}@DefunctTimestamp 0xB0 0x33 0x05 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{99C31CD9-93EB-45BF-82FC-A9F5FE138898}@InterfaceName Reusable ISATAP Interface {99C31CD9-93EB-45BF-82FC-A9F5FE138898} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{99C31CD9-93EB-45BF-82FC-A9F5FE138898}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\88-a6-c6-a8-2f-18@AddressCreationTimestamp 0x7B 0x8E 0x16 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\88-a6-c6-a8-2f-18@NatDetectionTimestamp 0x7B 0x80 0x16 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\88-a6-c6-a8-2f-18@ClientLocalPort 61979 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\88-a6-c6-a8-2f-18@UPnPExternalPort 61979 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\88-a6-c6-a8-2f-18@TeredoAddress 2001:0:5ef5:79fb:38a3:de4:43d0:8076 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@DisplayName ISO DVD/CD-ROM Device Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@ImagePath \??\C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@DeleteFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive Reg HKLM\SYSTEM\CurrentControlSet\Services\MEIx64\Parameters\Wdf@TimeOfLastTelemetryLog 0x15 0xF3 0xA1 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0xF4 0xD1 0xF9 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog 0x36 0x25 0xB3 0x89 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x64 0x68 0xB7 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1955 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 374 Reg HKLM\SYSTEM\CurrentControlSet\Services\SmbDrvI\Parameters\Wdf@TimeOfLastTelemetryLog 0x13 0x1A 0xA9 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@LeaseObtainedTime 1476787567 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@T1 1476830767 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@T2 1476863167 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@LeaseTerminatesTime 1476873967 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@Dhcpv6State 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@Dhcpv6InformationObtainedTime 1476787566 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@Dhcpv6InformationRefreshTime 86400 Reg HKLM\SYSTEM\CurrentControlSet\Services\TPM@OsBootCount 54 Reg HKLM\SYSTEM\CurrentControlSet\Services\TPM\Parameters\Wdf@TimeOfLastTelemetryLog 0x85 0x5F 0xCD 0x89 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI\Endorsement@EkRetryLast 0x50 0xB6 0xDA 0xAB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0x04 0x07 0x96 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog 0x0A 0x2D 0x01 0x90 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog 0x15 0xF3 0xA1 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog 0x85 0x5F 0xCD 0x89 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xCE 0xA9 0xD9 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xCE 0x11 0x9E 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xCE 0x41 0x15 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 11292 11298 11310 11346 11356 11366 11386 11430 11440 11478 11484 11500 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 11506 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 11507 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 11292 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 11293 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@LastAccessed 0x49 0x50 0xB0 0x71 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@AccelerateCacheRefreshLastHandled 0xEF 0xD2 0xDB 0x7E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@LastAccessed 0xAE 0xF0 0xAD 0x71 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@AccelerateCacheRefreshLastHandled 0x3C 0x04 0xF5 0x7E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 21 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband@FavoritesRemovedChanges 44 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}\iexplore@Count 73 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 27 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative@LockImageFlags 3 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppHang_LiveUpdate.exe_be12f03789cdc6508418f7f79c65986b77be938_819488b7_035cc2cc ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----