GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-28 15:14:35 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 PLEXTOR_PX-256M6S rev.1.03 238,47GB Running: 1l1yuglw.exe; Driver: C:\Users\SAWOMI~1\AppData\Local\Temp\uxrdypod.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000084a00 15 bytes [00, 31, EF, 01, 00, 36, 6A, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff96000084a10 11 bytes [00, E4, FB, FF, C0, 4B, E6, ...] ---- User code sections - GMER 2.2 ---- .text C:\Windows\Explorer.EXE[4548] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007fff67c5b0a0 5 bytes JMP 00007fff50ad26d4 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [644:4336] fffff960009892d0 Thread C:\Windows\SYSTEM32\ntdll.dll [7296:7300] 00000000012c6def Thread C:\Windows\SYSTEM32\ntdll.dll [7296:7560] 000000000126db20 Thread C:\Windows\SYSTEM32\ntdll.dll [4000:4012] 000000000040db7e Thread C:\Windows\SYSTEM32\ntdll.dll [4000:9968] 00000000699ac200 Thread C:\Windows\SYSTEM32\ntdll.dll [4000:5028] 00000000595b97a0 Thread C:\Windows\SYSTEM32\ntdll.dll [4000:10068] 0000000074123730 Thread C:\Windows\SYSTEM32\ntdll.dll [4000:7868] 00000000595b97a0 Thread C:\Windows\SYSTEM32\ntdll.dll [4000:3536] 00000000596559e0 Thread C:\Windows\SYSTEM32\ntdll.dll [4000:8320] 00000000595b97a0 ---- Services - GMER 2.2 ---- Service C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe (*** hidden *** ) [MANUAL] Disc Soft Lite Bus Service <-- ROOTKIT !!! Service C:\Program Files (x86)\Tencent\QQPCMGR\QQRepair1815 (*** hidden *** ) [AUTO] QQRepair1815 <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE9 0x3C 0xFD 0x28 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xDA 0xC6 0xEA 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xE9 0x3C 0xFD 0x28 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xDA 0xC6 0xEA 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 90 Reg HKLM\SYSTEM\CurrentControlSet\Control\CrashControl@LastCrashTime 0xEC 0x66 0x25 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD02590_00_07D9_3C^0EC0B024E1FEEFC669A5DC8644BDB0B4@Timestamp 0xAF 0x1F 0x9E 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 716 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\ProgramData\Tencent\QQPCMgr\TAVWfsDB\zfile_20160511.1462914648.md5.zip??\??\C:\Users\All Users\svchost.exe_old?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900094 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1941264833 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 114 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 474737482 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 5230 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 5199 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID c703fa20-f908-483f-bc63-42baf4f Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{a5a364e1-e06e-4e4b-af7d-8dbf400635cb} Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\303a64608631 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\303a64608631@d087e2386cb4 0x56 0xA4 0x3C 0x1B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a08869106c1e Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@ImagePath "C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe" Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@DisplayName Disc Soft Lite Bus Service Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@DependOnService RPCSS? Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{bf318b6c-a166-4a0f-80ea-05b48c7322b1}@LastProbeTime 1464445602 Reg HKLM\SYSTEM\CurrentControlSet\Services\QQRepair1815 Reg HKLM\SYSTEM\CurrentControlSet\Services\QQRepair1815@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\QQRepair1815@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\QQRepair1815@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\QQRepair1815@ImagePath "C:\Program Files (x86)\Tencent\QQPCMGR\QQRepair1815"? Reg HKLM\SYSTEM\CurrentControlSet\Services\QQRepair1815@Group COM Infrastructure Reg HKLM\SYSTEM\CurrentControlSet\Services\QQRepair1815@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\QQRepair1815 Reg HKLM\SYSTEM\CurrentControlSet\Services\SDScannerService@ServiceWebPortFirewallActive 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 34496 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 13163 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 112 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8ECBBD86-6408-460D-8A30-F95E4F007866}@LeaseObtainedTime 1464439622 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8ECBBD86-6408-460D-8A30-F95E4F007866}@T1 1464441422 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8ECBBD86-6408-460D-8A30-F95E4F007866}@T2 1464442772 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8ECBBD86-6408-460D-8A30-F95E4F007866}@LeaseTerminatesTime 1464443222 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cue\OpenWithProgids@DAEMON.Tools.Lite Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cue\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\OpenWithProgids@DAEMON.Tools.Lite Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mdf\OpenWithProgids@DAEMON.Tools.Lite Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mdf\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mdf\UserChoice@Hash y52p/LcypBo= Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mdf\UserChoice@ProgId DAEMON.Tools.Lite Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrg\OpenWithProgids@DAEMON.Tools.Lite Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrg\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrg\UserChoice@Hash zdBJFseHq2s= Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nrg\UserChoice@ProgId DAEMON.Tools.Lite Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList@MRUList acb Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\DirtyLocalCollections@windows-theme 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@CloudSettingsDirtyMarks 2185 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@CloudUsertileDirtyMarks 2185 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0x8A 0x93 0x9E 0xDA ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 243927 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 9510 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x76 0xF1 0xE5 0xFC ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x76 0xF1 0xE5 0xFC ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 68876 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 19559 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x76 0xF1 0xE5 0xFC ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 317356 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 30057 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x76 0xF1 0xE5 0xFC ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0xCC 0xA1 0xF0 0xFC ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@DAEMON Tools Lite Automount "C:\Program Files\DAEMON Tools Lite\DTAgent.exe" -autorun Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 2259 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\browsersettings\favoriteurls-internet-explorer@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\browsersettings\servicepoweredqsa-internet-explorer@PendingOperations 8 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\browsersettings\tabroaming-internet-explorer@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\browsersettings\typedurls-internet-explorer@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\browsersettings\wininet-internet-explorer@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\explorer@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\mouse@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\openwith@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\slideshow@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\StartLayout@PendingOperations 9 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\theme@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_UnhandledExcepti_a43ca91f2e45aefbdee01da9dd04ec8f55a9d4a_00000000_cab_1a478be0 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17490.219\QQPCHardware.dll (size mismatch) 361664/354656 bytes executable File C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17490.219\QMTrayPlugin\qmavtrayplugin\QMAVTrayPlugin.dll (size mismatch) 816320/805216 bytes executable File C:\Program Files (x86)\Tencent\QQPCMgr\11.5.17490.219\QMHIPSHeart.dll (size mismatch) 210112/214208 bytes executable ---- EOF - GMER 2.2 ----