GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-14 18:40:35 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\00000032 SanDisk_SDSSDHP256G rev.X2306RL 238,47GB Running: i7k56fds.exe; Driver: C:\Users\ja\AppData\Local\Temp\uwldrpow.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [3984] entry point in ".rdata" section 000000007441f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3984] entry point in ".rdata" section 0000000073a81590 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [3984] entry point in ".rdata" section 000000007066a020 ? C:\WINDOWS\SYSTEM32\atlthunk.dll [3984] entry point in ".data" section 000000006f874290 ? C:\Windows\System32\ActXPrxy.dll [3984] entry point in ".rdata" section 000000006b059c50 ? C:\Windows\System32\smartscreenps.dll [3984] entry point in ".rdata" section 000000006b5d58a0 ? C:\WINDOWS\system32\apphelp.dll [4004] entry point in ".rdata" section 000000007441f7c0 ? C:\WINDOWS\system32\apphelp.dll [2512] entry point in ".rdata" section 000000007441f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2512] entry point in ".rdata" section 0000000073a81590 ? C:\WINDOWS\system32\apphelp.dll [380] entry point in ".rdata" section 000000007441f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [380] entry point in ".rdata" section 0000000073a81590 ? C:\WINDOWS\system32\apphelp.dll [2556] entry point in ".rdata" section 000000007441f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2556] entry point in ".rdata" section 0000000073a81590 ? C:\WINDOWS\system32\apphelp.dll [2196] entry point in ".rdata" section 000000007441f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2196] entry point in ".rdata" section 0000000073a81590 ? C:\WINDOWS\system32\apphelp.dll [84] entry point in ".rdata" section 000000007441f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [84] entry point in ".rdata" section 0000000073a81590 ? C:\WINDOWS\system32\apphelp.dll [1796] entry point in ".rdata" section 000000007441f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [1796] entry point in ".rdata" section 0000000073a81590 ? C:\WINDOWS\system32\apphelp.dll [3268] entry point in ".rdata" section 000000007441f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [548:652] fffff597f9e76c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\MSBDD_NOEDID_1414_008D_FFFFFFFF_FFFFFFFF_0^CC77560BC3634A486857716562968286@Timestamp 0x6E 0x18 0x15 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 644 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute autocheck autochk *?bootdelete? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710744 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -189418174 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 120 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 499205509 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 7993 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 7284 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 089b39af-08b8-4aa8-9a47-39bd6d8 Reg HKLM\SYSTEM\CurrentControlSet\Control\Windows@ShutdownStopTimePerfCounter 0x63 0x5E 0x61 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\amdsbs\Parameters\Device-1@RaidCount 14 Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0xB1 0x35 0xAB 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x9F 0x86 0x7B 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{5fa3c75e-bc45-492c-a0ee-1e56676decda}@LastProbeTime 1489497312 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xCF 0xFB 0x90 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\hitmanpro37@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\hitmanpro37@DeleteFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\hitmanpro37 Reg HKLM\SYSTEM\CurrentControlSet\Services\HitmanPro37CrusaderBoot Reg HKLM\SYSTEM\CurrentControlSet\Services\HitmanPro37CrusaderBoot@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\HitmanPro37CrusaderBoot@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\HitmanPro37CrusaderBoot@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\HitmanPro37CrusaderBoot@ImagePath "C:\Users\ja\Desktop\hitmanpro_x64.exe" /crusader:boot Reg HKLM\SYSTEM\CurrentControlSet\Services\HitmanPro37CrusaderBoot@DisplayName HitmanPro 3.7 Crusader (Boot) Reg HKLM\SYSTEM\CurrentControlSet\Services\HitmanPro37CrusaderBoot@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\Services\HitmanPro37CrusaderBoot@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\HitmanPro37CrusaderBoot Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog 0x98 0x91 0xDD 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xA8 0x96 0xCC 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 7212 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1625 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4d84b5f9-9025-4be3-b8a4-4cacf8edd52f}@LeaseObtainedTime 1489494874 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4d84b5f9-9025-4be3-b8a4-4cacf8edd52f}@T1 1489797274 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4d84b5f9-9025-4be3-b8a4-4cacf8edd52f}@T2 1490024074 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4d84b5f9-9025-4be3-b8a4-4cacf8edd52f}@LeaseTerminatesTime 1490099674 Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0x9F 0x86 0x7B 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog 0x38 0xA5 0xF6 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog 0xE0 0x22 0x98 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog 0x6F 0xCB 0xF7 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastTelemetryLog 0x23 0x01 0x88 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x8F 0xC7 0x17 0xF3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x8F 0x2F 0xDC 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x8F 0x5F 0x53 0x91 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 37062 37068 37078 37088 37108 37152 37162 37200 37206 37222 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 37228 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 37229 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 37062 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 37063 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@OperaSoftware.OperaWebBrowser.1470309303 0x2A 0xB4 0xDF 0x02 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel 0xC4 0xEB 0x1B 0x85 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C087ADC3-7494-4C6E-A1B7-CD933C3FF2D5}@LastAccessedTime 0x10 0x76 0x92 0x4C ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C087ADC3-7494-4C6E-A1B7-CD933C3FF2D5}@LaunchCount 4 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FF47CDBA-663B-4AC6-B456-C48CBFB0DB09}@LastAccessedTime 0xE0 0xCD 0xCF 0x01 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FF47CDBA-663B-4AC6-B456-C48CBFB0DB09}@LaunchCount 12 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x21 0x0B 0x84 0xE9 ... ---- EOF - GMER 2.2 ----