GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-06 13:26:41 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d HGST_HTS545050A7E380 rev.GG2OACA0 465,76GB Running: rmq2tm48.exe; Driver: C:\Users\HP\AppData\Local\Temp\kgldrpow.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2544] entry point in ".rdata" section 000000006c8f8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2768] entry point in ".rdata" section 0000000071471350 ? C:\WINDOWS\SYSTEM32\wship6.dll [2796] entry point in ".rdata" section 00000000708f2470 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2796] entry point in ".rdata" section 000000006c8f8fc0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6580] entry point in ".rdata" section 000000006c8f8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8136] entry point in ".rdata" section 0000000071471350 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7328] entry point in ".rdata" section 0000000071471350 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [9304] entry point in ".rdata" section 000000006c8f8fc0 ? C:\WINDOWS\system32\apphelp.dll [9152] entry point in ".rdata" section 000000006c7cf7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1576] 0000000000e9ad60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1880] 0000000072f01410 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:2108] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:2384] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:2388] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5096] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5100] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5104] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5108] 000000006c1b0b70 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5112] 0000000071a95c60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5116] 0000000071a95c60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4120] 0000000071a95c60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4020] 0000000071a95c60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4116] 0000000071a95c60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4172] 0000000071a95c60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4184] 0000000071a95c60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4268] 0000000071a95c60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4128] 0000000071a95c60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4108] 0000000071a95c60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4104] 0000000071a96f60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4288] 0000000071a96f60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1324] 0000000071a96190 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1744] 0000000071b1c080 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:3180] 0000000071b1ac60 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:3876] 0000000071b1b080 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1776] 0000000071a99450 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:2892] 0000000071a99450 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:3872] 0000000071a99450 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4480] 0000000071a99450 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4084] 0000000071a99450 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4088] 0000000071a99450 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:2904] 0000000071a99450 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:3828] 0000000071a99450 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:3692] 0000000071a99450 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4016] 0000000071a99450 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4324] 0000000071a99120 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1836] 000000006c101330 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1268] 000000006c0c20c0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1252] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1832] 000000006c0c78d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1816] 000000006c0c78d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1840] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1792] 0000000071ac6790 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1788] 0000000071a98ab0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1956] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:1852] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:3676] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:3648] 0000000071e69b70 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:3672] 000000006c1019c0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4724] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4700] 0000000071f0bf00 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4748] 0000000071f0f7b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4816] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4836] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:3544] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5012] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4976] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5156] 000000006bd9a0e0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5444] 000000006bc77fd0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5448] 000000006bc77fd0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5452] 000000006bc77fd0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5456] 000000006bc77fd0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5460] 000000006bc77fd0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5464] 000000006bc77fd0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5932] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4516] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4196] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4168] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4164] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4720] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:3452] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4052] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:7172] 000000006c1b0a20 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:9508] 000000006c1b0a20 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:10236] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:5572] 0000000072328ca0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:8152] 000000006bda9a20 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:7180] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4048] 0000000071278420 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:4160] 0000000076d7d5b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1472:10288] 0000000076d7d5b0 Thread C:\WINDOWS\system32\csrss.exe [4024:7700] fffffe1c54a06c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1129733088 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14758725318592280@SetupOperations ???2?????2?2?????????????3???????????????????i??????????? ???????0?????2?????2??????????P?9??????????????2??????????????aswSnx???????2?2?2?2?2?2?2?2?????????????????????2??????????????MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.147738456642101","\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js",TRUE)?MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.sum.147738456642101","\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.sum",TRUE)?MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\show_safeshop_toolbar.js.147738456642101","\??\c:\program files\avast software\avast\webrep\ie\templates\show_safeshop_toolbar.js",TRUE)?MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\show_safeshop_toolbar.js.sum.147738456642101","\??\c:\program files\avast software\avast\webrep\ie\templates\show_safeshop_toolbar.js.sum",TRUE)?Mov Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\485ab667dfee Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\485ab667dfee@a0b4a51dbe19 0xBE 0x22 0xDC 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\485ab667dfee@28987b587f4d 0xAA 0x4B 0x7B 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?niedz.?, ?lis ?06 ?16, 12:07:52??????????????????????j???????? Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x33 0xF7 0x90 0x1D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x33 0x5F 0x55 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x33 0x8F 0xCC 0xBB ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----