GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-20 18:38:32 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000032 ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: 5w10ywvz.exe; Driver: C:\Users\GLOBAL~1\AppData\Local\Temp\pxldqpod.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [772:984] ffff80cc73736c20 Thread C:\WINDOWS\Explorer.EXE [4372:5672] 00007ffbcc9abb70 Thread C:\WINDOWS\Explorer.EXE [4372:6336] 00007ffbd32a20e0 Thread C:\WINDOWS\Explorer.EXE [4372:7996] 00007ffbe98f20e0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5452:5756] 00007ffbe50c48e0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5452:5876] 00007ffbe22ee010 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5452:2680] 00007ffbe22ee010 Thread C:\Users\globalkomp\AppData\Local\Microsoft\OneDrive\OneDrive.exe [6412:4684] 0000000067916aec Thread C:\Users\globalkomp\AppData\Local\Microsoft\OneDrive\OneDrive.exe [6412:2100] 0000000067916aec ---- Services - GMER 2.2 ---- Service C:\WINDOWS\System32\qmgr.dll (*** hidden *** ) [AUTO] BITS <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions NOEXECUTE=OPTIN NOVGA SAFEBOOT:MINIMAL NOGUIBOOT BOOTLOGO Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x9D 0x06 0x29 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x4B 0x62 0xD2 0xEF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x01 0x69 0x2B 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x4E 0xC5 0xD4 0xEF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 8 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO46EC0_04_07DF_53^3966F87BC3B3DA07E52BF2DA875776C9@Timestamp 0xD2 0xAC 0x2A 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 716 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\GLOBAL~1\AppData\Local\Temp\nse4B35.tmp\McSplash.dll??\??\C:\Users\GLOBAL~1\AppData\Local\Temp\nse4B35.tmp\?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment@SAFEBOOT_OPTION MINIMAL Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710497 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -675187802 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 11 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 486984353 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 2445 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 2432 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 9b1f6a57-b1d8-4785-a4c3-62e05e2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{906c8d13-aa2f-459a-9e18-b218e40ee70e} Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 10 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITSf2de2470-99d9-40a4-8e18-d71d7e8a3d6a Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\80a58986fa4e Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\80a58986fa4e@b6be2b296e09 0xE3 0xD9 0xF4 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{3bcc137c-e0ba-4311-9429-23fe2e376da1}@LastProbeTime 1476986140 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{99C31CD9-93EB-45BF-82FC-A9F5FE138898}@InterfaceName Reusable ISATAP Interface {99C31CD9-93EB-45BF-82FC-A9F5FE138898} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{99C31CD9-93EB-45BF-82FC-A9F5FE138898}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2248 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 436 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@LeaseObtainedTime 1476978940 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@T1 1477022140 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@T2 1477054540 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e169950f-953f-4ca2-88db-63e83e7b233e}@LeaseTerminatesTime 1477065340 Reg HKLM\SYSTEM\CurrentControlSet\Services\TPM@OsBootCount 59 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x40 0x9C 0x23 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x40 0x04 0xE8 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x40 0x34 0x5F 0x07 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----