GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-15 21:48:05 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 HGST_HTS541010A7E630 rev.SE0OA4A0 931,51GB Running: eqzwqhiw.exe; Driver: C:\Users\Laptop\AppData\Local\Temp\uxldapow.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xD6 0x24 0xE3 0xBC ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xAB 0x80 0x49 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x88 0xE9 0xE7 0xBC ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xB8 0xA7 0x50 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 13 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\BOE05DF0_01_07DC_0C^47EE9A1EDCB57464EC634D53E0028AF9@Timestamp 0xC4 0xF9 0x38 0xBD ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 828 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\ProgramData\Avg_Update_1116sp\AVG-Secure-Search-Update_1116sp.exe??\??\C:\ProgramData\Avg_Update_1116sp??\??\C:\Program Files (x86)\Mozilla Firefox\tobedeleted\moz3194.tmp??\??\C:\Program Files (x86)\Mozilla Firefox\tobedeleted??\??\C:\Program Files (x86)\Mozilla Firefox\tobedeleted\moz3194.tmp??\??\C:\Program Files (x86)\Mozilla Firefox\tobedeleted\??\??\C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900041 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1121952842 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 13 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 491716617 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 1945 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 1934 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID b82acfd9-17a9-4f7a-833a-dee0b7b Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\AVGIDSHA\Parameters@Reboot 38 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITSea982821-c11d-4202-a2fd-e94a93fe05b0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6057184be424 Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{9f3b42cd-e725-42f3-ade0-09a6a71d8c95}@LastProbeTime 1481828728 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a82f8d60-15b9-4361-8a91-22b673c2c4a8}@LastProbeTime 1481829127 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{B996E223-E7AA-4DF2-AF6A-23503B633FB5}@InterfaceName Reusable ISATAP Interface {B996E223-E7AA-4DF2-AF6A-23503B633FB5} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{B996E223-E7AA-4DF2-AF6A-23503B633FB5}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{B996E223-E7AA-4DF2-AF6A-23503B633FB5}@DefunctTimestamp 0x4D 0xDD 0x52 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\cc-7b-35-4b-60-8f@AddressCreationTimestamp 0xA9 0x6C 0x63 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7@Timestamp 0xDE 0xEC 0xEE 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?czw.?, ?gru ?15 ?16, 07:08:57????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4981 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1620 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 12 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}@LeaseObtainedTime 1481825526 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}@T1 1481868726 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}@T2 1481901126 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}@LeaseTerminatesTime 1481911926 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}@DhcpConnForceBroadcastFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}@DhcpNetworkHint 4505D2C494E4B4F5930303344454 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@EnableDHCP 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@Domain Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@NameServer Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@UseZeroBroadcast 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@MTU 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@RegistrationEnabled 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@RegisterAdapterName 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpIPAddress 192.168.1.3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpSubnetMask 255.255.255.0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@Lease 86400 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@LeaseObtainedTime 1481825127 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@T1 1481868327 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@T2 1481900727 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@LeaseTerminatesTime 1481911527 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@AddressType 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@IsServerNapAware 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpConnForceBroadcastFlag 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpNetworkHint 4505D2C494E4B4F59435B42514 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpNameServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpDefaultGateway 192.168.1.1? Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpSubnetMaskOpt 255.255.255.0? Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpInterfaceOptions 0xFC 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpGatewayHardware 0xC0 0xA8 0x01 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f12630a6-7d0f-4b25-afc2-84c21b8ee1d0}\4505D2C494E4B4F59435B42514@DhcpGatewayHardwareCount 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{F12630A6-7D0F-4B25-AFC2-84C21B8EE1D0}@DhcpV6NetworkHint 4505D2C494E4B4F5930303344454 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x7E 0x13 0xC8 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x7E 0x7B 0x8C 0x11 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x7E 0xAB 0x03 0x4E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 11558 11564 11576 11612 11622 11632 11652 11696 11706 11744 11750 11766 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 11772 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 11773 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 11558 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 11559 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:0BEBC200-00C8-1000-A14F-1C5A3EDD821D\Interfaces\{d0875fb4-2196-4c7a-a63d-e416addd60a1}\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x04 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:0BEBC200-00C8-1000-A14F-1C5A3EDD821D\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x04 0x00 ... ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [660:692] fffff99c05936c20 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\System32\qmgr.dll (*** hidden *** ) [AUTO] BITS <-- ROOTKIT !!! ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1533107612 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6057184be424 Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7@Timestamp 0x2F 0x7B 0x32 0x3D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1627 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xD0 0x41 0xF8 0x39 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xD0 0xA9 0xBC 0x9B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xD0 0xD9 0x33 0xD8 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:0BEBC200-00C8-1000-A14F-1C5A3EDD821D\Interfaces\{d0875fb4-2196-4c7a-a63d-e416addd60a1}\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x04 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:0BEBC200-00C8-1000-A14F-1C5A3EDD821D\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x04 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code