GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-16 20:21:12 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000023 ST500LT012-1DG142 rev.0002LVM1 465,76GB Running: gmer.exe; Driver: C:\Users\ukasz\AppData\Local\Temp\pxldapod.sys ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [616:652] ffffe32f6a536c20 ---- Services - GMER 2.2 ---- Service C:\Windows\System32\qmgr.dll (*** hidden *** ) [MANUAL] BITS <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -11882638 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@DisplayName @%SystemRoot%\system32\qmgr.dll,-1000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@ImagePath %SystemRoot%\System32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Description @%SystemRoot%\system32\qmgr.dll,-1001 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@DependOnService RpcSs? Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@RequiredPrivileges SeCreateGlobalPrivilege?SeImpersonatePrivilege?SeTcbPrivilege?SeAssignPrimaryTokenPrivilege?SeIncreaseQuotaPrivilege?SeDebugPrivilege? Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@DelayedAutostart 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Parameters@ServiceDll %SystemRoot%\System32\qmgr.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Parameters@ServiceDllUnloadOnStop 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@Close PerfMon_Close Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@Collect PerfMon_Collect Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@Library C:\Windows\System32\bitsperf.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@Open PerfMon_Open Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@InstallType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfIniFile bitsctrs.ini Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@First Counter 4698 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@Last Counter 4714 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@First Help 4699 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@Last Help 4715 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@Object List 4698 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b0c09095827c Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x00 0x64 0xBF 0x79 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x00 0xCC 0x83 0xDB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x00 0xFC 0xFA 0x17 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----