GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-06 13:28:13 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\00000033 SanDisk_SSD_U100_64GB rev.10.56.00 59,63GB Running: soq140x5.exe; Driver: C:\Users\Wojciech\AppData\Local\Temp\uxldipow.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [632:3976] fffffeacfa226c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xA4 0x23 0xE1 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x1B 0xA4 0x16 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xA4 0x23 0xE1 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x1B 0xA4 0x16 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 47 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO21ED0_04_07DB_40^293D474B9B9FAEF034AF10EE2DE30025@Timestamp 0x94 0xF6 0x46 0x9B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 728 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900185 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -397635399 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 48 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 498530276 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 2650 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 2645 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 63639e7f-b31a-4452-8cd6-9ee25a5 Reg HKLM\SYSTEM\CurrentControlSet\Control\Windows@ShutdownStopTimePerfCounter 0xE8 0x26 0x42 0x1E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WcesLog@FileCounter 5 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITSf437d700-7cbf-4de5-8d4a-a8505a5dd79b Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{68902756-99ca-458a-8307-9b8d146ef636}@LastProbeTime 1488805811 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{238C43F6-4FCC-4645-B05E-9A585BB97276}@InterfaceName Reusable ISATAP Interface {238C43F6-4FCC-4645-B05E-9A585BB97276} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{238C43F6-4FCC-4645-B05E-9A585BB97276}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\e8-94-f6-c4-d3-8e@AddressCreationTimestamp 0x3D 0xE3 0xCD 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 13312 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 5277 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 46 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1070 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4b047dfb-2c62-4063-b98f-cfb225ee9767}@LeaseObtainedTime 1488802211 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4b047dfb-2c62-4063-b98f-cfb225ee9767}@T1 1488805811 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4b047dfb-2c62-4063-b98f-cfb225ee9767}@T2 1488808511 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4b047dfb-2c62-4063-b98f-cfb225ee9767}@LeaseTerminatesTime 1488809411 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xED 0xE3 0x7B 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xED 0x4B 0x40 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xED 0x7B 0xB7 0x3A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 18358 18364 18376 18386 18396 18416 18460 18470 18508 18514 18530 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 18536 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 18537 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 18358 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 18359 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore@Count 63 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x78 0x4B 0x0D 0x0C ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Microsoft.InternetExplorer.Default?{6D809377-6AF0-444B-8957-A3773F02200E}\Malwarebytes\Anti-Malware\mbam.exe? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Microsoft.InternetExplorer.Default 0x3C 0xAA 0xC5 0xB1 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{3F562B45-FE5A-4131-87B9-3B96A3EFA544} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{3F562B45-FE5A-4131-87B9-3B96A3EFA544}@LastAccessedTime 0x00 0xD1 0x71 0x4F ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{3F562B45-FE5A-4131-87B9-3B96A3EFA544}@AppId C:\Users\Wojciech\Desktop\Nokia_PC_Suite_ALL.exe Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{3F562B45-FE5A-4131-87B9-3B96A3EFA544}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F8D48A8D-5D1C-449C-9AA2-AB53A6F12753}@LastAccessedTime 0xB0 0xA6 0x95 0x25 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F8D48A8D-5D1C-449C-9AA2-AB53A6F12753}@LaunchCount 6 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F8D48A8D-5D1C-449C-9AA2-AB53A6F12753}\RecentItems\{48D4EFF6-F731-4716-B4AE-5ECD62A1ACD6} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F8D48A8D-5D1C-449C-9AA2-AB53A6F12753}\RecentItems\{48D4EFF6-F731-4716-B4AE-5ECD62A1ACD6}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F8D48A8D-5D1C-449C-9AA2-AB53A6F12753}\RecentItems\{48D4EFF6-F731-4716-B4AE-5ECD62A1ACD6}@Path C:\Users\Wojciech\Downloads\OTL.Txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F8D48A8D-5D1C-449C-9AA2-AB53A6F12753}\RecentItems\{48D4EFF6-F731-4716-B4AE-5ECD62A1ACD6}@DisplayName OTL.Txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F8D48A8D-5D1C-449C-9AA2-AB53A6F12753}\RecentItems\{48D4EFF6-F731-4716-B4AE-5ECD62A1ACD6}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F8D48A8D-5D1C-449C-9AA2-AB53A6F12753}\RecentItems\{48D4EFF6-F731-4716-B4AE-5ECD62A1ACD6}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x51 0x1E 0xEC 0xBE ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk1\DR1 unknown MBR code ---- EOF - GMER 2.2 ----