GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-22 21:16:38 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 HGST_HTS541075A9E680 rev.JA2OA700 698,64GB Running: d9q31hc5.exe; Driver: C:\Users\Ancia\AppData\Local\Temp\kftcqpow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation 00007ff94e6e3e10 7 bytes JMP 00007ff94bed0260 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNEL32.DLL!RegQueryValueExW 00007ff94e6e3e20 7 bytes JMP 00007ff94bed0298 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNEL32.DLL!RegSetValueExW 00007ff94e7939b0 7 bytes JMP 00007ff94bed0340 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNEL32.DLL!RegDeleteValueW 00007ff94e793ef0 7 bytes JMP 00007ff94bed02d0 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA 00007ff94e793fe0 7 bytes JMP 00007ff94bed0308 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ff94e7c06c0 7 bytes JMP 00007ff94bed01f0 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ff94e7c0730 7 bytes JMP 00007ff94bed0228 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 00007ff94bf321d0 5 bytes JMP 00007ff94bed0180 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 00007ff94bf329d0 7 bytes JMP 00007ff94bed00d8 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 00007ff94bf34310 5 bytes JMP 00007ff94bed0110 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 00007ff94bf38c40 5 bytes JMP 00007ff94bed0148 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ff94bfaebc0 1 byte JMP 00007ff94bed01b8 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameExW + 2 00007ff94bfaebc2 3 bytes {JMP 0xfffffffffff215f8} .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\USER32.dll!CreateWindowExW 00007ff94cce9920 10 bytes JMP 00007ff94bed0420 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW 00007ff94ccf4430 5 bytes JMP 00007ff94bed03e8 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ff94ccf44f0 1 byte JMP 00007ff94bed0378 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo + 2 00007ff94ccf44f2 7 bytes {JMP 0xffffffffff1dbe88} .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 00007ff94cd03b80 5 bytes JMP 00007ff94bed03b0 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\USER32.dll!ChangeDisplaySettingsExW 00007ff94cd05cd0 5 bytes JMP 00007ff94bed0458 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ff94eb51500 1 byte JMP 00007ff94bed0490 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ff94eb51502 6 bytes {JMP 0xfffffffffd37ef90} .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ff94eb51750 8 bytes JMP 00007ff94bed04c8 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 00007ff9497d7750 5 bytes JMP 00007ff9496800d8 .text C:\Windows\system32\dwm.exe[372] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 00007ff9497d8ee0 5 bytes JMP 00007ff949680110 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [748:772] fffff9600085d2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x87 0x56 0xF3 0xF5 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x47 0x83 0xC4 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xE7 0xB8 0xF5 0xF5 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x11 0x35 0xD5 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 87 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SDC41470_00_07DC_C7^6079A99316CEEDD1C27496295DE92BCE@Timestamp 0xC2 0x28 0x8B 0xF6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 852 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -81572583 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 41e2d0e0-3743-42ed-b587-5342d88 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{e86b208f-23e1-4ac9-ae68-2470b05e7233} Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14668009802342272@SetupOperations ???'?????'?'?'?(?(?(?(???????????B??????????????????????????????? ???????'???????????'???????? ??????????????????????????'??????Commited?\???'?'?'?'?'?'?'?'?????????????a?????ts\???????????a?????tst???????'???l??????14??????91???????'???l???????s?????'?????)?)?)?)?*?*????????????????????????????????????????????????4???????????????? ???????&?????'?????'??????????P?&??????????????????????????'?'?'?'?'?'?'?'?????????????&????????????????????????????P??'???????????e??\SystemRoot\system32\drivers\aswSnx.sys?ys???????????'??????????????aswSnx????????0??'??????????FSFilter Virtualization??????????'??????????????FltMgr????????L??'??????????????avast! virtualization driver (aswSnx)???? ???????'?????'?????'?'???????? ????????????????? ??'??????????????aswSnx Instance????????'???'?????'?'?????'??????????????? ???????'???????????'?'?????????????????????????????'??????????137600?????????????????????????'????? ???????'???????????'?'????????T??? ???????????? T??'??????????????\??\C:\Program Files\AVAST Software\Avast????'? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14668010279682272@SetupOperations ???'?????)?)?)?)?*?*????????????????????????????????????????????????4???????????????? ???????&?????'?????'??????????P?&??????????????????????????'?'?'?'?'?'?'?'?????????????&????????????????????????????P??'???????????e??\SystemRoot\system32\drivers\aswSnx.sys?ys???????????'??????????????aswSnx????????0??'??????????FSFilter Virtualization??????????'??????????????FltMgr????????L??'??????????????avast! virtualization driver (aswSnx)???? ???????'?????'?????'?'???????? ????????????????? ??'??????????????aswSnx Instance????????'???'?????'?'?????'??????????????? ???????'???????????'?'?????????????????????????????'??????????137600?????????????????????????'????? ???????'???????????'?'????????T??? ???????????? T??'??????????????\??\C:\Program Files\AVAST Software\Avast????'?'????? P??'??????????????\??\C:\ProgramData\AVAST Software\Avast?????? ???????&?????'?????'?'????????N?'??????????????????????????'?'?'?'?'?'?'?'?????????????9????????????????????????????6??'??????????FSFilter Security Enhancer?2\d???????'????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a4db30ec63b9 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{859ce177-1a03-4cd9-84e1-064e749cf958}@LastProbeTime 1469215205 Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?lip ?22 ?16, 08:25:51??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 13531 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 10481 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 107 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 187 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ADBF9B57-A551-4CB8-81B0-918A43433A26}@LeaseObtainedTime 1469207881 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ADBF9B57-A551-4CB8-81B0-918A43433A26}@T1 1469251081 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ADBF9B57-A551-4CB8-81B0-918A43433A26}@T2 1469283481 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ADBF9B57-A551-4CB8-81B0-918A43433A26}@LeaseTerminatesTime 1469294281 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0x69 0x6E 0xAD 0x38 ... Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\Users\Ancia\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_x64_6f2ad38f7691939b74603011b388b42d3cb2b480_00000000_43179f6b ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----