GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-29 21:35:29 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d SanDisk_SDSSDHII240G rev.X31200RL 223,57GB Running: v4pjshmu.exe; Driver: C:\Users\KATARZ~1\AppData\Local\Temp\kgrcqpod.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [2808:7616] fffff960008ad2d0 Thread C:\Windows\System32\SettingSyncHost.exe [2364:7836] 00007ff85a641fe0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO37ED0_00_07DD_95^FEE311AE8C2BFD77E38D9D0DE563180D@Timestamp 0xBE 0xEF 0x29 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 987866223 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 2068 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 2046 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 4892 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 91 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 593 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 2168 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeInitTime 74 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 468 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 2270 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 133 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 296 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 2761 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 2778 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 4084 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 2773 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 4767 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 2130 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 140 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 5822 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 1297 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 662 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 340065 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x30 0xF1 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 33709 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0xE8 0x33 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 294 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCompressRate 66 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 457 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 120 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@MaxHuffRatio 8 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 120 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 221 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 1323 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x61 0xAE 0x2F 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14749676625462280@SetupOperations ???%?????&?&?&?&?'?'?'???????????????????????????????????????????&???%???????????????&?%?%?%?%?%????? P??%???????????%??\??\C:\ProgramData\AVAST Software\Avast?t?????*??%??????????????????\??\C:\Program Files?m???????%?????????rro??\??\C:\Users?t????\??%???v??????????\??\C:\Program Files\AVAST Software\SZBrowser???? X??%???U??????rF??\??\C:\ProgramData\AVAST Software\SZBrowser?? ??? ???????$?????%?????%??????????P?)??????&???????????????%???%?%?%?%?%?%?%?%????????????????t????????????\??????co????P??%???l????h\C:??\SystemRoot\system32\drivers\aswStm.sys?ys?:\P???????%???\?????ed.??aswStm?C:\???? ??%???e??pc??NDIS? ???????%???P???????e??tcpip?? ? ????F??%???l?????nmo??avast! StreamFilter Callout Driver?\????? ???????%?????%???????????????????? ??????r???????%????? ???????%???????????%???????? ????????f?????????????????????????%?%?%???????????????????????????%?????????????????????????%????? ???????$?????%?????%??????????$?*??????????????????%???%???%?%?%?%?%?%?????????????m??td???????????????????t????$??%????? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14749718097502280@SetupOperations ???&?????'?(?(?(?(?)?)?)????????????????????????????????????????????????4???????????????? ???????%???????????&???????? ??????????????????????????&??????Commited?$???&?&?&?&?&?&?&??????????? ???????????????????????????????????&???????????????????????????&??????????????DeleteFile("\??\C:\Program Files\AVAST Software\Avast\setup\FwReboot.txt")?DeleteFile("\??\C:\Program Files\AVAST Software\Avast\setup\settings-8e8.ori")????????????????Q??????????????????????????????? ???????%???????????&???????? ??????????????????????????&??????Commited?????&?&?&?&?&?&?&???????????e???????????????????m???????????????&???????????????????????????&??????????????DeleteFile("\??\C:\Program Files\AVAST Software\Avast\setup\settings-8e8.ori")??????????????????????????????????????????????? ???????%???????????&???????? ??????????????????????????&???&??Commited?&???&?&?&?&?&?&?&???????????p???????????????????????????????????&???s???????????????-???????&???o???????s??DeleteFile("\??\C:\Program Files\AVAST Software\Avast\setup\settings-8e Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\303a64bb0aa7 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\303a64bb0abb Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{A673F7AB-1105-478A-A89E-8A9B29C6AA11}@DefunctTimestamp 0xC6 0xC4 0x3D 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\3c-81-d8-0a-0c-f8@AddressCreationTimestamp 0xDE 0x55 0x4E 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\3c-81-d8-0a-0c-f8@ClientLocalPort 62041 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\3c-81-d8-0a-0c-f8@TeredoAddress 2001:0:9d38:6abd:2cdf:da6:aceb:e518 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\3c-81-d8-0a-0c-f8@UPnPExternalPort 62041 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 13388 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 11478 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1110 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{156BFD62-9BC8-4606-BDD7-CD264D9C482A}@LeaseObtainedTime 1480443098 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{156BFD62-9BC8-4606-BDD7-CD264D9C482A}@T1 1480486298 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{156BFD62-9BC8-4606-BDD7-CD264D9C482A}@T2 1480518698 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{156BFD62-9BC8-4606-BDD7-CD264D9C482A}@LeaseTerminatesTime 1480529498 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xBF 0x1C 0x2B 0x09 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xBF 0x1C 0x2B 0x09 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xBF 0x1C 0x2B 0x09 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 1347 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalBandwidthBucketDrainTime 0x18 0x5F 0xA4 0x92 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xBF 0x1C 0x2B 0x09 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63616008017873%3bID%3d52F9FCC177A5B1!104%3bLR%3d63616039914710%3bEP%3d13%3bSI%3d0%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0xE4 0x19 0x5E 0xC5 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x97 0x61 0x79 0x1C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\About Java.lnk?C:\Program Files (x86)\Java\jre1.8.0_111\bin\javacpl.exe?-tab about? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@1 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Check For Updates.lnk?C:\Program Files (x86)\Java\jre1.8.0_111\bin\javacpl.exe?-tab update? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@2 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Configure Java.lnk?C:\Program Files (x86)\Java\jre1.8.0_111\bin\javacpl.exe?? ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----