GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-05 07:41:27 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000032 TOSHIBA_MQ01ABD075 rev.AX0A4M 698,64GB Running: 9oqerumz.exe; Driver: C:\Users\Inga\AppData\Local\Temp\uxldrpow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000161a00 15 bytes [00, 31, EF, 01, 00, 36, 6A, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff96000161a10 11 bytes [00, E4, FB, FF, C0, 4B, E6, ...] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffe4ef63e10 7 bytes JMP 00007ffe4e3c02d0 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNEL32.DLL!RegQueryValueExW 00007ffe4ef63e20 7 bytes JMP 00007ffe4e3c0308 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNEL32.DLL!RegSetValueExW 00007ffe4f0139b0 7 bytes JMP 00007ffe4e3c03b0 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNEL32.DLL!RegDeleteValueW 00007ffe4f013ef0 7 bytes JMP 00007ffe4e3c0340 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA 00007ffe4f013fe0 7 bytes JMP 00007ffe4e3c0378 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffe4f0406c0 7 bytes JMP 00007ffe4e3c0228 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffe4f040730 7 bytes JMP 00007ffe4e3c0298 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffe4f040760 7 bytes JMP 00007ffe4e3c0260 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 00007ffe4e3d21d0 5 bytes JMP 00007ffe4e3c0180 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 00007ffe4e3d29d0 7 bytes JMP 00007ffe4e3c00d8 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffe4e3d4310 5 bytes JMP 00007ffe4e3c0110 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 00007ffe4e3d8c40 5 bytes JMP 00007ffe4e3c0148 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\USER32.dll!CreateWindowExW 00007ffe4e799920 10 bytes JMP 00007ffe4e3c0490 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW 00007ffe4e7a4430 5 bytes JMP 00007ffe4e3c0458 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffe4e7a44f0 9 bytes JMP 00007ffe4e3c03e8 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 00007ffe4e7b3b80 5 bytes JMP 00007ffe4e3c0420 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffe50ec1500 8 bytes JMP 00007ffe4e3c01b8 .text C:\Windows\system32\dwm.exe[460] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffe50ec1750 8 bytes JMP 00007ffe4e3c01f0 ---- Devices - GMER 2.2 ---- Device \Driver\iaStorA \Device\RaidPort0 ffffe0019ab972c0 Device \Driver\cdrom \Device\CdRom0 ffffe0019d92f2c0 Device \Driver\iaStorA \Device\00000032 ffffe0019ab972c0 Device \Driver\iaStorA \Device\00000033 ffffe0019ab972c0 Device \Driver\iaStorA \Device\ScsiPort0 ffffe0019ab972c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xffffe0019ab972c0]<< sptd.sys storport.sys hal.dll iaStorA.sys ffffe0019ab972c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe0019d8c5650] ffffe0019d8c5650 Trace 3 CLASSPNP.SYS[fffff801fea07f40] -> nt!IofCallDriver -> \Device\00000032[0xffffe0019b224060] ffffe0019b224060 Trace \Driver\iaStorA[0xffffe0019b209060] -> IRP_MJ_CREATE -> 0xffffe0019ab972c0 ffffe0019ab972c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [780:804] fffff960009bb2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE7 0xC5 0x61 0x92 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x5F 0x58 0x6B 0x92 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xF7 0xA6 0x58 0x22 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xAE 0x43 0x56 0x22 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 321 Reg HKLM\SYSTEM\CurrentControlSet\Control\CrashControl@LastCrashTime 0x3C 0xD9 0x8C 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMO15A70_1F_07DA_95^E31A9EA2CA573A9B957AE374289AD020@Timestamp 0x9A 0x31 0x48 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 868 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -87028353 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 50485847-c5e6-4e22-be80-e361917 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{5a92debd-4fb6-4f3c-b7ba-0f3d462cbbe4} Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{56a923d2-8d13-487b-81f4-af484ba44ddb}@LastProbeTime 1465093497 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?N?, ?cze ?05 ?16, 02:31:40???????6???????6???????????????6???? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 13295 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 6506 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 336 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 818 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EB517593-7AA4-4D27-8E5E-EB6DF1C6675E}@LeaseObtainedTime 1465091671 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EB517593-7AA4-4D27-8E5E-EB6DF1C6675E}@T1 1465093471 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EB517593-7AA4-4D27-8E5E-EB6DF1C6675E}@T2 1465094821 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EB517593-7AA4-4D27-8E5E-EB6DF1C6675E}@LeaseTerminatesTime 1465095271 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0x1A 0x6D 0xB1 0x02 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\DirtyLocalCollections@browsersettings-typedurls-internet-explorer 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0x15 0xEB 0x0D 0x1D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x4E 0x53 0x57 0x2F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x4E 0x53 0x57 0x2F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 36418 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 191 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x4E 0x53 0x57 0x2F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 115286 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 191 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x4E 0x53 0x57 0x2F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x10 0xE4 0x5D 0x2F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xF8 0xC4 0x07 0x1C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications@MobileBroadbandLastResetDate 0x9A 0xBD 0x9E 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 42 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\Users\Inga\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppHang_Microsoft.SkypeA_17acd45d327c56f6e6ebc639a721bfcfffb9b_0d508f6b_119cf522 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----