GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-26 00:10:37 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 TOSHIBA_MQ01ABD075 rev.AX0A4M 698,64GB Running: h05265is.exe; Driver: C:\Users\Piter\AppData\Local\Temp\kxtyruod.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\atiesrxx.exe[516] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff86eee169a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[516] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff86eee16a2 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[516] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff86eee181a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[516] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff86eee1832 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1044] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff86eee169a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1044] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff86eee16a2 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1044] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff86eee181a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\atieclxx.exe[1044] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff86eee1832 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1320] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff86eee169a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1320] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff86eee16a2 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1320] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff86eee181a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1320] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff86eee1832 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\Explorer.EXE[1500] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff86eee169a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\Explorer.EXE[1500] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff86eee16a2 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\Explorer.EXE[1500] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff86eee181a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\Explorer.EXE[1500] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff86eee1832 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1628] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff86eee169a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1628] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff86eee16a2 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1628] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff86eee181a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1628] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff86eee1832 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[864] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff86eee169a 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[864] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff86eee16a2 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[864] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff86eee181a 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[864] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff86eee1832 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[864] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff86b3b1f6a 4 bytes [3B, 6B, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[864] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff86b3b1f82 4 bytes [3B, 6B, F8, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2420] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff86eee169a 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2420] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff86eee16a2 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2420] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff86eee181a 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2420] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff86eee1832 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2580] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff86eee169a 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2580] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff86eee16a2 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2580] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff86eee181a 4 bytes [EE, 6E, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2580] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff86eee1832 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[300] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff86eee169a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[300] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff86eee16a2 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[300] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff86eee181a 4 bytes [EE, 6E, F8, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[300] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff86eee1832 4 bytes [EE, 6E, F8, 7F] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [740:764] fffff96000832b90 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1094334514 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 2151 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 281491 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeLibraryInitTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeInitTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeMapTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAllocateTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 280812 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 280814 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 281450 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberSharedBufferTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeInitTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeSharedBufferTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 609 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCompressRate 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FileRuns 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0xEE 0x37 0x30 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14749160716562280@SetupOperations ???)?????)?)?)?*?*?*?*???????????a??????????????????????????????????????????????????? ???????)???????????)???????? ??????????????????????????)??????Reverted?????)?)?)?)?)?)?)?)???????????????????t?????????????i???????????????)???????????????????????????)???????????s?????)?????+?+?+?+?,?,?,?,?????????????>???????????????????????????????????????)??????????????? ???????)???????????)???????????????????????D??????????????s??????)????? ???????)???????????)????????$?\??? ??????MFE??? T??)??????????r???\??\C:\Program Files\AVAST Software\Avast????)?)?)?)?)?)????? P??)??????????????\??\C:\ProgramData\AVAST Software\Avast???????*??)??????????????????\??\C:\Program Files??????\??)??????????????\??\C:\Program Files\AVAST Software\SZBrowser???? X??)??????????r???\??\C:\ProgramData\AVAST Software\SZBrowser??????????)?????????r????\??\C:\Users?e??? ???????'?????)?????)??????????P?,??????????????????.??4????)?)?)?)?)?)?)?)?????????????l??tM???????????e??????el????P??)????????hC:\??\SystemRoot\system32\drivers\aswStm.sys?ys? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14749162475462280@SetupOperations ???)?????+?+?+?+?,?,?,?,?????????????>???????????????????????????????????????)??????????????? ???????)???????????)???????????????????????D??????????????s??????)????? ???????)???????????)????????$?\??? ??????MFE??? T??)??????????r???\??\C:\Program Files\AVAST Software\Avast????)?)?)?)?)?)????? P??)??????????????\??\C:\ProgramData\AVAST Software\Avast???????*??)??????????????????\??\C:\Program Files??????\??)??????????????\??\C:\Program Files\AVAST Software\SZBrowser???? X??)??????????r???\??\C:\ProgramData\AVAST Software\SZBrowser??????????)?????????r????\??\C:\Users?e??? ???????'?????)?????)??????????P?,??????????????????.??4????)?)?)?)?)?)?)?)?????????????l??tM???????????e??????el????P??)????????hC:\??\SystemRoot\system32\drivers\aswStm.sys?ys???????????)???e?????eon??aswStm?Afe???? ??)??????p:??NDIS?E???????)???1???????e??tcpip????E????F??)?????????n????avast! StreamFilter Callout Driver??????? ???????)?????)???????????????????? ??????????????)????? ???????)???????????)???????? ???????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a08869a92733 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a08869a92733@5cb524c47539 0x4A 0x91 0xF6 0x8E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a08869a92733@b4cef65295ff 0x21 0xA6 0x54 0xF6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{589E3848-AECA-4240-84E0-52459458AE67}@DefunctTimestamp 0x28 0x55 0x38 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 63590 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 7848 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1462 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C8E41D18-8BE9-44E7-9072-7599AC082087}@LeaseObtainedTime 1480088201 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C8E41D18-8BE9-44E7-9072-7599AC082087}@T1 1480091801 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C8E41D18-8BE9-44E7-9072-7599AC082087}@T2 1480094501 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C8E41D18-8BE9-44E7-9072-7599AC082087}@LeaseTerminatesTime 1480095401 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----