GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-31 02:19:51 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 HGST_HTS545050A7E680 rev.GR2OA320 465,76GB Running: z7iqttkv.exe; Driver: C:\Users\LENA_M~1\AppData\Local\Temp\agayrkog.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [6532] entry point in ".rdata" section 000000006f4f1590 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6532] entry point in ".rdata" section 000000006e1ea020 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [6532] entry point in ".rdata" section 000000006e1bc940 ? C:\Windows\System32\OneCoreUAPCommonProxyStub.dll [6532] entry point in ".rdata" section 0000000062ed7ec0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffb9728132f 8 bytes [50, 6E, F9, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffb97281421 8 bytes [40, 6E, F9, 7E, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffb972816b0 8 bytes [20, 6E, F9, 7E, 00, 00, 00, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffb97281894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffb9728230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffb97326260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffb97326560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffb973265c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb97326800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffb97326960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb97327770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffb97327d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb97328fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 0000000052261462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 00000000522616b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 00000000522617eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005226181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3976] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000052261857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ffb9728132f 8 bytes [50, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ffb97281421 8 bytes [40, 6E, F8, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ffb972816b0 8 bytes [20, 6E, F8, 7F, 00, 00, 00, ...] .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ffb97281894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ffb9728230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffb97326260 8 bytes {JMP QWORD [RIP-0xa4bb6]} .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ffb97326560 8 bytes {JMP QWORD [RIP-0xa4cd2]} .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffb973265c0 8 bytes {JMP QWORD [RIP-0xa5297]} .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb97326800 8 bytes {JMP QWORD [RIP-0xa52d6]} .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffb97326960 8 bytes {JMP QWORD [RIP-0xa5545]} .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb97327770 8 bytes {JMP QWORD [RIP-0xa5467]} .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffb97327d70 8 bytes {JMP QWORD [RIP-0xa63af]} .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb97328fb0 8 bytes {JMP QWORD [RIP-0xa7682]} .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 0000000052261462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 00000000522616b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 00000000522617eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000005226181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Lena_Mateusz\Desktop\z7iqttkv.exe[7768] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 0000000052261857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [7768] entry point in ".rdata" section 000000006b00f7c0 ---- Devices - GMER 2.2 ---- Device \Driver\klupd_klif_klark \Device\klark_030405_KLIF fffff8097a9f8ed8 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [852:904] ffffd81858136c20 Thread C:\WINDOWS\system32\svchost.exe [1844:2268] 00007ffb89715bd0 Thread C:\WINDOWS\system32\svchost.exe [1844:2296] 00007ffb89719b20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x71 0x6D 0x10 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x15 0x3E 0x48 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xCC 0xCF 0x12 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x15 0x3E 0x48 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@de-DE 45 Reg HKLM\SYSTEM\CurrentControlSet\Control\Elantech@bETDCtrlClose 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD03970_00_07DC_EE^F0433B40C31A2C96177365AA0485F907@Timestamp 0x23 0xC1 0x4E 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 984 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710570 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 445447166 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 45 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 495617875 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 4069 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 4069 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID d02919b8-7efa-4f24-8dbc-1e6da5a Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS392a222a-b2d3-45b4-a6ef-92e878bcf865 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\d0534912cf32 Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{91e0bbc4-603d-4a09-8e2f-78ea2da59889}@LastProbeTime 1485823538 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{E76C9ABE-FEF2-41B5-B06E-EE86C69ACD5F}@InterfaceName Reusable ISATAP Interface {E76C9ABE-FEF2-41B5-B06E-EE86C69ACD5F} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{E76C9ABE-FEF2-41B5-B06E-EE86C69ACD5F}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 9 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?wt.?, ?sty ?31 ?17, 12:47:11 AM??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 5 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 10819 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 3427 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 44 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bcb40ed0-b329-4de9-aaa2-3fb4c5c46e2c}@LeaseObtainedTime 1485819937 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bcb40ed0-b329-4de9-aaa2-3fb4c5c46e2c}@T1 1485863137 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bcb40ed0-b329-4de9-aaa2-3fb4c5c46e2c}@T2 1485895537 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bcb40ed0-b329-4de9-aaa2-3fb4c5c46e2c}@LeaseTerminatesTime 1485906337 Reg HKLM\SYSTEM\CurrentControlSet\Services\TPM@OsBootCount 104 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x51 0xDB 0xDE 0xF8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x51 0x43 0xA3 0x5A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x51 0x73 0x1A 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 16476 16482 16494 16504 16514 16534 16578 16588 16626 16632 16648 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 16654 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 16655 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 16476 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 16477 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----