GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-30 14:30:36 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b SAMSUNG_HM321HI rev.2AJ10003 298,09GB Running: z4j5ju38.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pwryypow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\atiesrxx.exe[804] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff5336169a 4 bytes [36, 53, FF, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[804] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff533616a2 4 bytes [36, 53, FF, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[804] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff5336181a 4 bytes [36, 53, FF, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[804] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff53361832 4 bytes [36, 53, FF, 7F] .text C:\WINDOWS\System32\svchost.exe[1396] c:\windows\system32\WSOCK32.dll!setsockopt + 194 00007fff499f1f6a 4 bytes [9F, 49, FF, 7F] .text C:\WINDOWS\System32\svchost.exe[1396] c:\windows\system32\WSOCK32.dll!setsockopt + 218 00007fff499f1f82 4 bytes [9F, 49, FF, 7F] .text C:\WINDOWS\System32\svchost.exe[1424] c:\windows\system32\WSOCK32.dll!setsockopt + 194 00007fff499f1f6a 4 bytes [9F, 49, FF, 7F] .text C:\WINDOWS\System32\svchost.exe[1424] c:\windows\system32\WSOCK32.dll!setsockopt + 218 00007fff499f1f82 4 bytes [9F, 49, FF, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1480] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007fff5336169a 4 bytes [36, 53, FF, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1480] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007fff533616a2 4 bytes [36, 53, FF, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1480] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007fff5336181a 4 bytes [36, 53, FF, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1480] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007fff53361832 4 bytes [36, 53, FF, 7F] .text C:\WINDOWS\system32\atieclxx.exe[2216] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff5336169a 4 bytes [36, 53, FF, 7F] .text C:\WINDOWS\system32\atieclxx.exe[2216] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff533616a2 4 bytes [36, 53, FF, 7F] .text C:\WINDOWS\system32\atieclxx.exe[2216] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff5336181a 4 bytes [36, 53, FF, 7F] .text C:\WINDOWS\system32\atieclxx.exe[2216] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff53361832 4 bytes [36, 53, FF, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2180] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007fff499f1f6a 4 bytes [9F, 49, FF, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2180] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007fff499f1f82 4 bytes [9F, 49, FF, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [504:532] fffff96000982b90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x09 0xD6 0xF3 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x87 0x9A 0xAB 0x3F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x09 0xD6 0xF3 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x87 0x9A 0xAB 0x3F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStopTime 0xD7 0x89 0x72 0x74 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 123 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CPT14C70_04_07DB_CB^5A4A124CFC8C230110C3A2D414DA6946@Timestamp 0x21 0x60 0x8B 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 572 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A89F9577-8467-4CCB-8BE0-D63BD600A62E}\Connection@Name Reusable ISATAP Interface {A89F9577-8467-4CCB-8BE0-D63BD600A62E} Reg HKLM\SYSTEM\CurrentControlSet\Control\PnP@DisableLKG 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900105 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1075835357 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 128 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 438802731 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 19698 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID ea1e9555-bfbe-432c-a2e8-54ca5b1 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events CreateSession Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\acpiex\Parameters\Wdf@TimeOfLastSqmLog 0x01 0xE1 0xAE 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastSqmLog 0x5C 0xF6 0x9C 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastSqmLog 0x0D 0x49 0x2F 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{28b54380-bdf4-4143-b947-6b9223d19e92}@LastProbeTime 1427648434 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastSqmLog 0x0E 0x5C 0x42 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastSqmLog 0x04 0xBB 0xA1 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{A89F9577-8467-4CCB-8BE0-D63BD600A62E}@InterfaceName Reusable ISATAP Interface {A89F9577-8467-4CCB-8BE0-D63BD600A62E} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{A89F9577-8467-4CCB-8BE0-D63BD600A62E}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\98-f5-37-30-87-7c@AddressCreationTimestamp 0x8C 0xAA 0x29 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\98-f5-37-30-87-7c@UPnPState 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\98-f5-37-30-87-7c@ClientLocalPort 52366 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\98-f5-37-30-87-7c@TeredoAddress 2001:0:5ef5:79fd:1c10:bb8c:ace5:d07f Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastSqmLog 0xCC 0xCB 0xD9 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastSqmLog 0x63 0x30 0xB7 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PEAUTH\Parameters\Wdf@TimeOfLastSqmLog 0x28 0x54 0x49 0x4B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pn?, ?mar ?30 ?15, 12:09:05??????U???????U???????????????U???? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8811 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 4224 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 125 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C52A8D7B-7D05-4416-B22C-4F393CE853B7}@LeaseObtainedTime 1427704021 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C52A8D7B-7D05-4416-B22C-4F393CE853B7}@T1 1427747221 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C52A8D7B-7D05-4416-B22C-4F393CE853B7}@T2 1427779621 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C52A8D7B-7D05-4416-B22C-4F393CE853B7}@LeaseTerminatesTime 1427790421 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastSqmLog 0x0D 0x49 0x2F 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastSqmLog 0xFA 0x51 0xF3 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastSqmLog 0x06 0x95 0x7B 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband@FavoritesRemovedChanges 8 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0xC9 0xEC 0xC3 0x20 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified 0x00 0x78 0xF3 0x5C ... Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\Users\Mateusz\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppHang_explorer.exe_318a6b8a41f61d2c233495836736a273692818_5c1a5825_076bbeea ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----