GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-26 21:41:31 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000044 ADATA_SP900NS38 rev.6.0.Ba 119,24GB Running: rmq2tm48.exe; Driver: C:\Users\Patrick\AppData\Local\Temp\awldrpow.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [708:916] ffffa30e5ed36c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xFC 0x85 0x2E 0x85 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x7F 0x09 0xFC 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xFC 0x85 0x2E 0x85 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xAD 0xB7 0xD6 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 63 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD046F0_00_07DE_92^64436E4E88F8976B47D503DD8EF385B5@Timestamp 0x1C 0xEE 0xBD 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 912 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710547 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 34126650 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 64 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 502821015 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 80024 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 7becc472-c1f7-4b3c-b9b1-6515d85 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITSda9e8f03-dc05-40e5-998a-58c9eac9ac25 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6807159260f7 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6807159260f7@002268b8b8d9 0xC9 0x5E 0xF6 0x65 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6807159260f7@203caec820e4 0x66 0xB8 0xBC 0xF5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{43f01dca-00df-48d0-85b2-74ca091fccb9}@LastProbeTime 1493203142 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 11649 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2773 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 62 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 254 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1e6d2e78-ddd0-4259-9b19-89ba63f44dde}@LeaseObtainedTime 1493232282 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1e6d2e78-ddd0-4259-9b19-89ba63f44dde}@T1 1493234082 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1e6d2e78-ddd0-4259-9b19-89ba63f44dde}@T2 1493235432 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1e6d2e78-ddd0-4259-9b19-89ba63f44dde}@LeaseTerminatesTime 1493235882 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x91 0xBC 0xC0 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x91 0x24 0x85 0x20 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x91 0x54 0xFC 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\4@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\4@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\5@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\5@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\6@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\6@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\7@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\7@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Package Installation@PackageListVersion 663 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 20 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative@LockImageFlags 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Microsoft.Office.WINWORD.EXE.15?{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe?windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Microsoft.Office.WINWORD.EXE.15 0x16 0xD7 0x6F 0xF8 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe 0xBA 0xE8 0xD7 0xFB ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel 0x1B 0x6C 0xF2 0xF9 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{D2F1A471-BFC9-41E8-8A0C-0E393CD48272}@LastAccessedTime 0x00 0xB4 0x92 0x31 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{D2F1A471-BFC9-41E8-8A0C-0E393CD48272}@LaunchCount 4 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Windows\SoftwareDistribution\EventCache.v2\{03A6F68F-EBEA-4BB3-88F9-225B818264CB}.bin 3502 bytes ---- EOF - GMER 2.2 ----