GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-14 14:18:09 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000032 HGST_HTS541010A7E630 rev.SE0OA4A0 931,51GB Running: 3qdfybre.exe; Driver: C:\Users\Marek\AppData\Local\Temp\fxldrpog.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [668:756] fffff961cab14030 ---- Processes - GMER 2.2 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D6338A76-CF2C-467D-A24D-94B2EFBA1431}\mpengine.dll (*** suspicious ***) @ C:\Program Files\Windows Defender\MsMpEng.exe [2808] 00007ff9aa3e0000 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\System32\qmgr.dll (*** hidden *** ) [MANUAL] BITS <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [MANUAL] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [MANUAL] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden *** ) [MANUAL] WinDefend <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -367945554 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DefenderApiLogger@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DefenderAuditLogger@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\acfdce69fb58 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\f8-1a-67-de-84-2c@ClientLocalPort 64906 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\f8-1a-67-de-84-2c@AddressCreationTimestamp 0xE3 0xEA 0x97 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\f8-1a-67-de-84-2c@TeredoAddress 2001:0:9d38:6abd:1c9b:275:ae41:ad22 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2148 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 276 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6a715383-e01e-43cc-bb3f-7b0aa7786d37}@LeaseObtainedTime 1468491455 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6a715383-e01e-43cc-bb3f-7b0aa7786d37}@T1 1468495055 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6a715383-e01e-43cc-bb3f-7b0aa7786d37}@T2 1468497755 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6a715383-e01e-43cc-bb3f-7b0aa7786d37}@LeaseTerminatesTime 1468498655 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x59 0xF7 0x45 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x59 0x5F 0x0A 0xDC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x59 0x8F 0x81 0x18 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x19 0xF7 0x54 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Group _Early-Launch Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@ImagePath \SystemRoot\system32\drivers\WdBoot.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter@ImagePath \SystemRoot\system32\drivers\WdFilter.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:4D454930-0100-1000-8001-8CC1214146A7\Interfaces\{d0875fb4-2196-4c7a-a63d-e416addd60a1}\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x02 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:4D454930-0100-1000-8001-8CC1214146A7\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x02 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications@TimestampWhenSeen 0x5F 0xCD 0x40 0xB7 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x39 0xE5 0xB9 0x9B ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----