GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-16 18:37:23 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000033 WDC_WD5000BPKT-75PK4T0 rev.01.01A01 465,76GB Running: 1lyzt1ng.exe; Driver: C:\Users\Pryta\AppData\Local\Temp\fwdyrkog.sys ---- Modules - GMER 2.2 ---- Module \??\C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys fffff803b83c0000-fffff803b83ce000 (57344 bytes) ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xDB 0x8C 0xA7 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xCF 0x23 0x58 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x0F 0xB2 0x21 0x8C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xB0 0x66 0xA1 0x86 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 55 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMO17180_17_07DA_E5^3230A3F787348A849EBA987AF6A86798@Timestamp 0x24 0xA8 0x00 0xF6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\cleanup.old??\??\C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware??\??\C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.old?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3774143 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 602855981 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 55 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 494344960 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 88d19b21-0ddf-4c23-8445-09d8835 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITSb2717e84-5d18-4a2c-a3cf-0d13b74d82c6 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\4c80930e226f Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\4c80930e226f@08fc88ad82f4 0xAC 0x45 0xFE 0xD9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0x9F 0x51 0x6D 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x5E 0x05 0x21 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{21142c68-9cce-4374-8aee-d780c8f9029a}@LastProbeTime 1484520070 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xAF 0x52 0x4E 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\huawei_enumerator\Parameters\Wdf@TimeOfLastTelemetryLog 0x30 0xB4 0x6F 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\ibtfltcoex\Parameters\Wdf@TimeOfLastTelemetryLog 0x50 0x4C 0x72 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastTelemetryLog 0x9F 0x51 0x6D 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\LEqdUsb\Parameters\Wdf@TimeOfLastTelemetryLog 0x6B 0x87 0x6D 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\LHidFilt\Parameters\Wdf@TimeOfLastTelemetryLog 0x3A 0xAF 0x74 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\LMouFilt\Parameters\Wdf@TimeOfLastTelemetryLog 0x3A 0xAF 0x74 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog 0xDC 0x17 0x13 0x09 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x30 0xB4 0x6F 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 23 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?niedz.?, ?sty ?15 ?17, 10:43:55??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 481 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5679 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2098 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-200|Desc=@%systemroot%\system32\provsvc.dll,-201|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|RPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-203|Desc=@%systemroot%\system32\provsvc.dll,-204|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|LPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-205|Desc=@%systemroot%\system32\provsvc.dll,-206|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 54 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 901 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters\Wdf@TimeOfLastTelemetryLog 0x33 0x29 0xA4 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpDomain chello.pl Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpNameServer 62.179.1.70 62.179.1.71 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@DhcpIPAddress 192.168.0.11 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@DhcpServer 192.168.0.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@LeaseObtainedTime 1484572339 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@T1 1484615539 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@T2 1484647939 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@LeaseTerminatesTime 1484658739 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@DhcpNetworkHint 55053413332363339363 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@DhcpDomain chello.pl Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@DhcpNameServer 62.179.1.70 62.179.1.71 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@DhcpDefaultGateway 192.168.0.1? Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@Dhcpv6State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@DhcpV6NetworkHint 55053413332363339363 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@Dhcpv6MaxLeaseExpireTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@Dhcpv6ServerPreference 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@Dhcpv6IsUnicastEnabled 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{de7119be-3c62-47dd-909b-165029c8f2a4}@Dhcpv6LeaseObtainedTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0x5E 0x05 0x21 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UmPass\Parameters\Wdf@TimeOfLastTelemetryLog 0x8F 0xA8 0x41 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog 0x20 0xB1 0xB4 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog 0xDA 0x8C 0x68 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\uvhid\Parameters\Wdf@TimeOfLastTelemetryLog 0x30 0xB4 0x6F 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog 0x6F 0xB4 0x2F 0x09 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastTelemetryLog 0xDC 0x8D 0x49 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xD6 0xF5 0x8D 0xE5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xD6 0x5D 0x52 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xD6 0x8D 0xC9 0x83 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 23020 23026 23038 23048 23058 23078 23122 23132 23170 23176 23192 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 23198 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 23199 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 23020 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 23021 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Files - GMER 2.2 ---- ADS C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys 47304 bytes executable <-- ROOTKIT !!! ADS C:\Program Files (x86)\UCBrowser\Security:x64 739728 bytes executable ADS C:\Program Files (x86)\UCBrowser\Security:x86 602512 bytes executable ADS C:\Windows\System32\drivers:ucdrv-x64.sys 47304 bytes executable ADS C:\Windows\System32\drivers:x64 739728 bytes executable ADS C:\Windows\System32\drivers:x86 602512 bytes executable ---- Services - GMER 2.2 ---- Service C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [SYSTEM] ucdrv <-- ROOTKIT !!! ---- EOF - GMER 2.2 ----