GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-04 12:34:10 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 Samsung_SSD_840_EVO_250GB rev.EXT0CB6Q 232,89GB Running: 4h95imfh.exe; Driver: C:\Users\JORMUN~1\AppData\Local\Temp\kxtdafod.sys ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [680:892] fffff960009c22d0 ---- Services - GMER 2.2 ---- Service System32\Drivers\ElbyCDIO.sys (*** hidden *** ) [DISABLED] ElbyCDIO <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xB4 0x9B 0x53 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xEC 0xE5 0x3A 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xB4 0x9B 0x53 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xEC 0xE5 0x3A 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 156 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\IVM61190_00_07DD_B7^33B6765CDF48697113B9FD95C7EFE541@Timestamp 0x32 0xB1 0x73 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 796 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900135 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 813012898 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 159 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 495994855 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 7328 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 5682 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 834ac490-83a1-47a5-a0e9-c597235 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Intel Application Pairing@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14833731346402280@SetupOperations ???$?????$?%?%?%???????????????????????????????????????????????????????????????????$???$????? ???????$???????????$???????? ??????????????????????????$???/??Commited?y???$?$?$?$?$?$?$?$?????????????????????????????????E?????t?E???????$???????????????????????????$???E?????????????$?????%?&?&?&?&?'?'?'????????????????????????????????????????????????4???????????????? ???????$?????$?????$??????????P?(??????????????????7??NV???$?$?$?$?$?$?$?$?????????????s??t\???????????p??????oc????P??$???_????h29.??\SystemRoot\system32\drivers\aswSnx.sys?ys??64???????$???z??????????aswSnx?nzk????0??$??????p\??FSFilter Virtualization??????????$???\???????e??FltMgr???z????L??$???\?????nUs??avast! virtualization driver (aswSnx)???? ???????$?????$?????$?????????? ?????????s??????? ??$???????????e??aswSnx Instance??????$?????$???$????? ???????$???????????$???????????????????????e???????$???z??????137600???w???$?$????????????????s??????$????? ???????$???????????$??????????T??? ???????????? T??$??????????r???\??\C:\Program Files\AVAST Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14833731697182280@SetupOperations ???$?????%?&?&?&?&?'?'?'????????????????????????????????????????????????4???????????????? ???????$?????$?????$??????????P?(??????????????????7??NV???$?$?$?$?$?$?$?$?????????????s??t\???????????p??????oc????P??$???_????h29.??\SystemRoot\system32\drivers\aswSnx.sys?ys??64???????$???z??????????aswSnx?nzk????0??$??????p\??FSFilter Virtualization??????????$???\???????e??FltMgr???z????L??$???\?????nUs??avast! virtualization driver (aswSnx)???? ???????$?????$?????$?????????? ?????????s??????? ??$???????????e??aswSnx Instance??????$?????$???$????? ???????$???????????$???????????????????????e???????$???z??????137600???w???$?$????????????????s??????$????? ???????$???????????$??????????T??? ???????????? T??$??????????r???\??\C:\Program Files\AVAST Software\Avast????$?$????? P??$???????????????$???$??????????????\??\C:\ProgramData\AVAST Software\Avast?????? ???????$?????$?????$??????????N?)?????Pv???????????z???z???$?$?$?$?$?$?$?$?????????????M??t1???????????3??????MP????N??$???e????hRMU??\SystemRoot\system32\drivers\as Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{8c86bbc5-d5d9-4b8a-bbc7-1b6e55d6fb12}@LastProbeTime 1486209587 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@ImagePath System32\Drivers\ElbyCDIO.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@DisplayName ElbyCDIO Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@DeleteFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 15007 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 5949 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 156 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{06DBDFFB-2CE6-44F3-B143-8C506855CCDC}@LeaseObtainedTime 1486205940 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{06DBDFFB-2CE6-44F3-B143-8C506855CCDC}@T1 -661277709 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{06DBDFFB-2CE6-44F3-B143-8C506855CCDC}@T2 2023076851 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 198 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{09e215fe-bd2d-11e4-8253-d8cb8a196d9e} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{09e215fe-bd2d-11e4-8253-d8cb8a196d9e}@Drive Type 1048593 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{09e215fe-bd2d-11e4-8253-d8cb8a196d9e}@IsImapiDataBurnSupported 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{09e215fe-bd2d-11e4-8253-d8cb8a196d9e}@Active 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications@MobileBroadbandLastResetDate 0x76 0xB6 0x79 0xCD ... ---- EOF - GMER 2.2 ----