GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-30 14:13:14 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b CT250BX100SSD1 rev.MU02 232,89GB Running: nzddh2gh.exe; Driver: C:\Users\Toshiba\AppData\Local\Temp\awldyuog.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [540:592] ffff89e8c1536c20 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys (*** hidden *** ) [MANUAL] MBAMSwissArmy <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xBC 0x52 0x31 0xA6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x33 0x2B 0x4B 0x21 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xA3 0xDB 0x31 0xA6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x33 0x2B 0x4B 0x21 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 53 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD02DC0_00_07DA_79^43DE932A75FD237B0BDE555D6E837849@Timestamp 0xCD 0xD3 0x82 0xA6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 784 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?(?C?R???????K??v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=128:*|App=System|Name=@IpHlpSvc.dll,-502|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-25000|???????????????????l?????????????????????????????@???????????????@?B?B?B?B???????+?????????????????????????????????????????????l?????????C???????????J??v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=128:*|Name=@IpHlpSvc.dll,-503|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-25000|?J?J???J(??????????8????????(????????????????t??8??????B??? ???????8??????????? ???????A???????????????????? ???????????????????0??????B???E??Commited?%???????J????(??????????9?????t?t(??????????M?????t\?8??????B???y???????????????%??? ???????A???????????????????? ???????????????????0??????B???V??Commited?????????B????(????????????????t??(????????????????t??8??????B???????????????????F??? ???????A???????????????????? ??????????????????????????B???T0?Commited?T???+?J?J?J?J(????????????????t??(????????????????t??8??????B????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 1090673 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1841131680 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 53 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 503169200 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 4141 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 9f4b5469-9cf4-4d1c-ad49-3f6e18f Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITSb8d7b4a6-6ab2-49e9-90db-124c182547b2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b4749fe08589 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{bedabc4c-451a-451b-9949-99b3be05c946}@LastProbeTime 1493559686 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{8168DF15-DE72-4B6D-BF3E-CDB3BBA9AB2D}@InterfaceName Reusable ISATAP Interface {8168DF15-DE72-4B6D-BF3E-CDB3BBA9AB2D} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{8168DF15-DE72-4B6D-BF3E-CDB3BBA9AB2D}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\24-20-c7-eb-62-ba@AddressCreationTimestamp 0x8D 0x5E 0x16 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ImagePath \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@DisplayName MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances@DefaultInstance MBAMSwissArmy Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 10159 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 3013 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 52 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{db45cf9f-7712-4a06-aad3-77262784e5db}@LeaseObtainedTime 1493552486 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{db45cf9f-7712-4a06-aad3-77262784e5db}@T1 1493595686 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{db45cf9f-7712-4a06-aad3-77262784e5db}@T2 1493628086 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{db45cf9f-7712-4a06-aad3-77262784e5db}@LeaseTerminatesTime 1493638886 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{db45cf9f-7712-4a06-aad3-77262784e5db}@Dhcpv6InformationObtainedTime 1493552472 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xDD 0x37 0x43 0xAB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xDD 0x9F 0x07 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xDD 0xCF 0x7E 0x49 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications@MobileBroadbandLastResetDate 0xE8 0xF1 0x39 0xAA ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\8855aa5f@NotificationsCount 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ee3af504@NotificationsCount 5 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{22799E79-6B9A-4CEE-B35D-A471957619F4}@LastAccessedTime 0xE0 0xBA 0x47 0xB5 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{22799E79-6B9A-4CEE-B35D-A471957619F4}@LaunchCount 5 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{270467FB-9858-4076-AC97-D9A22E36F18B}@LastAccessedTime 0x00 0x8F 0xCB 0xCD ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{270467FB-9858-4076-AC97-D9A22E36F18B}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{72234E0C-BC10-47C2-B6B2-204AAB93DCE9}@LastAccessedTime 0x60 0x83 0xBC 0x19 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{72234E0C-BC10-47C2-B6B2-204AAB93DCE9}@LaunchCount 2 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{72234E0C-BC10-47C2-B6B2-204AAB93DCE9}\RecentItems\{AB461287-FAFC-4863-A70F-2FBEABCD4B77} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{72234E0C-BC10-47C2-B6B2-204AAB93DCE9}\RecentItems\{AB461287-FAFC-4863-A70F-2FBEABCD4B77}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{72234E0C-BC10-47C2-B6B2-204AAB93DCE9}\RecentItems\{AB461287-FAFC-4863-A70F-2FBEABCD4B77}@Path C:\Program Files (x86)\Simon and Schuster\Real War Rogue States\readme.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{72234E0C-BC10-47C2-B6B2-204AAB93DCE9}\RecentItems\{AB461287-FAFC-4863-A70F-2FBEABCD4B77}@DisplayName readme Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{72234E0C-BC10-47C2-B6B2-204AAB93DCE9}\RecentItems\{AB461287-FAFC-4863-A70F-2FBEABCD4B77}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{72234E0C-BC10-47C2-B6B2-204AAB93DCE9}\RecentItems\{AB461287-FAFC-4863-A70F-2FBEABCD4B77}@Points 0x00 0x00 0x00 0x00 ---- EOF - GMER 2.2 ----