GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-26 11:38:09 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 ST750LM022_HN-M750MBB rev.2AR20002 698,64GB Running: t9ihd8dm.exe; Driver: C:\Users\Ola\AppData\Local\Temp\pgrirpob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff960000d3900 15 bytes [00, 16, EC, 01, 80, 20, 6A, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff960000d3910 11 bytes [00, CC, FB, FF, 40, 14, C0, ...] ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe34e43e10 7 bytes JMP 00007ffe324a0260 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe34e43e20 7 bytes JMP 00007ffe324a0298 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffe34ef39b0 7 bytes JMP 00007ffe324a0340 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe34ef3ef0 7 bytes JMP 00007ffe324a02d0 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffe34ef3fe0 7 bytes JMP 00007ffe324a0308 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe34f206c0 7 bytes JMP 00007ffe324a01f0 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe34f20730 7 bytes JMP 00007ffe324a0228 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffe324b21d0 5 bytes JMP 00007ffe324a0180 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe324b29d0 7 bytes JMP 00007ffe324a00d8 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe324b4310 5 bytes JMP 00007ffe324a0110 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe324b8c40 5 bytes JMP 00007ffe324a0148 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffe3252eb80 5 bytes JMP 00007ffe324a01b8 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffe330c6d80 10 bytes JMP 00007ffe324a0458 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffe330d55c0 5 bytes JMP 00007ffe324a03e8 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffe330d5680 9 bytes JMP 00007ffe324a0378 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffe330d5850 5 bytes JMP 00007ffe324a0420 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffe330db080 5 bytes JMP 00007ffe324a03b0 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe35031500 1 byte JMP 00007ffe324a0490 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffe35031502 6 bytes {JMP 0xfffffffffd46ef90} .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe35031750 8 bytes JMP 00007ffe324a04c8 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffe301e7750 5 bytes JMP 00007ffe301d00d8 .text C:\WINDOWS\system32\dwm.exe[304] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffe301e8ee0 5 bytes JMP 00007ffe301d0110 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [720:744] fffff9600095a2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xCB 0xD0 0x98 0xF0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xB3 0xD0 0xA4 0xD2 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xAC 0xF7 0x9F 0xF0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x21 0x33 0xA7 0xD2 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 22 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD03DB0_00_07DC_06^A46D66EB7749E5DBEECD770FEA1B3C20@Timestamp 0x76 0x41 0xF9 0xF0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 824 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 4523330 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1256180472 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 25 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 500200980 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 1918 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 1607 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 7078ca03-966a-496e-8186-d4e5bab Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswbidsh\Parameters@Reboot 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14904191471252288@SetupOperations ???&?&???????????????????????????&???????????????????????????=???!???????&???????????s???'?'?'?'?&?&?&?&?????????????&??? ???????%?????&?????&??????????`?(? ???????r???? ???????&???????????&??????????T??? ????????s?????&????? T??&???p??????rf??\??\C:\Program Files\AVAST Software\Avast???? P??&???"?????:\p??\??\C:\ProgramData\AVAST Software\Avast?ex???&?&E)??? ???????%?????&?????&??????????V?)?????????? ???????&???????????&??????????T??? ???????\c?????&????? T??&???s??????ra??\??\C:\Program Files\AVAST Software\Avast???? P??&???m?????s\a??\??\C:\ProgramData\AVAST Software\Avast?1"???&?&????? ???????%?????&?????&??????????T?*??????g??? ???????&???????????&??????????x??? ??????oft?????&????? T??&???s??????r5??\??\C:\Program Files\AVAST Software\Avast???? P??&???p?????l.s??\??\C:\ProgramData\AVAST Software\Avast????????&??????X??&??????????\??\C:\ProgramData\AVAST Software\Avast\log???????X??&???????????1??\??\C:\ProgramData\AVAST Software\Avast\cfg??????&?&?&?&?&??? x??&??????????s???\Device\AvaswIDSErHr?\Devic Reg HKLM\SYSTEM\CurrentControlSet\Services\BTATH_RCP\Parameters@Tg-High -16383 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTATH_RCP\Parameters@Tg-Low -1884096160 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\240a647e630c Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\240a647e630c@8463d65b46ac 0xA0 0xD4 0x41 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@Bluetooth_UniqueID {00000000-0000-0000-0000-000000000000}#8463D65B46AC_00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0001 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0001@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0001@Bluetooth_UniqueID {00000000-0000-0000-0000-000000000000}#0026687FA875_00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0001@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002@Bluetooth_UniqueID {00000000-0000-0000-0000-000000000000}#10683FDD4E75_00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0004 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0004@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0004@Bluetooth_UniqueID {00000000-0000-0000-0000-000000000000}#F05B7BBD0E87_00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0004@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0007 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0007@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0007@Bluetooth_UniqueID {00000000-0000-0000-0000-000000000000}#D875331EE2D6_00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0007@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0008 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0008@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0008@Bluetooth_UniqueID {00001200-0000-1000-8000-00805f9b34fb}#8463D65B46AC_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0008@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0010 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0010@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0010@Bluetooth_UniqueID {00001000-0000-1000-8000-00805f9b34fb}#D875331EE2D6_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0010@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0011 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0011@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0011@Bluetooth_UniqueID {00001000-0000-1000-8000-00805f9b34fb}#8463D65B46AC_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0011@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{e9670f95-c998-4faf-bfb2-2bc18758dbec}@LastProbeTime 1490520284 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?N?, ?mar ?26 ?17, 10:33:25???????i???????i???????????????i???? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2150 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1706 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 24 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1305B9C7-EAE6-4C5B-9AD1-5F72DDF7D8B8}@LeaseObtainedTime 1490513256 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1305B9C7-EAE6-4C5B-9AD1-5F72DDF7D8B8}@T1 1490556456 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1305B9C7-EAE6-4C5B-9AD1-5F72DDF7D8B8}@T2 1490588856 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1305B9C7-EAE6-4C5B-9AD1-5F72DDF7D8B8}@LeaseTerminatesTime 1490599656 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7d43d75??????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----