GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2018-05-09 14:01:36 Windows 6.2.9200 x64 Running: ldszgv4b.exe ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\usocore.dll (*** hidden *** ) [MANUAL] UsoSvc <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1115194800 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_15004494210312303@SetupOperations ???E?????E?E?E F?????????????????????????????????????????????M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M?M???M?y?)?)?p?)?M?M????? ???????????????????9??????????`???+???????????????????????????? ???????E???????????????????? ??????????????????1??????????????????????????????????????????????????????????????????????????????????????????????????????? ?????????????????????~????????f??? ????????????????????????? ????????????????????X?microsoft.desktopappinstaller_8wekyb3d8bbwe???"??????????????????????????D?????????????????????????????????????????????????????????????????????qcser.inf???? ???????E???????????E???????? ??????????????????????????E??????Commited?????E?E?E?E?E?E???????????????????t???????????????????t?????????E???????????????????O??????????????????????????????????????????? ???????E???????????F???????? ??????????????????????E??????????????MoveFile("\??\C:\Program Files\AVAST Software\Avast\avB942D.tmp","\??\C:\Program Files\AVAST Software\Avast\avBugReport.exe",TRUE)?Move Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_15047981895312310@SetupOperations ???F?????F G?G??????????????????????????????????????????? ???????E???????????F???????? ???M??????????????????????F??????Commited?????F?F?F?F?F?F???????????????????t???????????????????t?????????F??????????????????????????????????????????????????????????????? ???????E???????????F???????? ???N??????????????????????F??????Commited?????F?F?F?F?F?F???????????????????t???????????????????t?????????F??????????????????????????????????????????????????????????????? ???????E???????????F???????? ???O??????????????????????F??????Commited?????F?F?F?F?F?F???????????????????t???????????????????t?????????F??????????????????????????????????????????????????????????????? ???????E???????????F???????? ???P??????????????????????F??????Commited?????F?F?F?F?F?F???????????????????t???????????????????t?????????F??????????????????????????????????????????????????????????????? ???????E???????????F???????? ???Q??????????????????????F??????Commited?????F?F?F?F?F?F???????????????????t???????????????????t?????????F????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_15071485813122314@SetupOperations ???G?????G?G?H?????? ????????????????????2??????????????? ???????E???????????G???????? ???q??????????????????????G??????Commited?????G?G?H?H?H?H???????????????????t?????M???G??????????????MoveFile("\??\C:\Program Files\AVAST Software\Avast\avB9F04.tmp","\??\C:\Program Files\AVAST Software\Avast\avBugReport.exe",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\AvD9F73.tmp","\??\C:\Program Files\AVAST Software\Avast\AvDump32.exe",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\x64\AvD9FB4.tmp","\??\C:\Program Files\AVAST Software\Avast\x64\AvDump64.exe",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\aswE6FF.tmp","\??\C:\Program Files\AVAST Software\Avast\aswcmlx.dll",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\aswE73E.tmp","\??\C:\Program Files\AVAST Software\Avast\aswsysx.dll",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\aswE86E.tmp","\??\C:\Program Files\AVAST Software\Avast\aswDataScan.dll",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\gam Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_15109400998752318@SetupOperations ???H?????H?H?I???????????????????????????q??????????????? ???????E???????????H???????? ???~??????????????????????H??????Commited?????H?H?H?H?H?H?H?????????????????t???????????????????t?????????H???????????????????????????H???????????s??DeleteFile("\??\C:\Program Files\AVAST Software\Avast\GrimeFighter2.dll")?RemoveDir("\??\C:\Program Files\AVAST Software\Avast",FALSE,FALSE)?DeleteFile("\??\C:\Program Files\AVAST Software\Avast\x64\Gf2Vss.exe")?RemoveDir("\??\C:\Program Files\AVAST Software\Avast\x64",FALSE,FALSE)?DeleteFile("\??\C:\ProgramData\AVAST Software\Avast\GrimeFighter2\control\rules.dat")?RemoveDir("\??\C:\ProgramData\AVAST Software\Avast\GrimeFighter2\control",FALSE,FALSE)?DeleteFile("\??\C:\ProgramData\AVAST Software\Avast\GrimeFighter2\control\rules.ver")?RemoveDir("\??\C:\ProgramData\AVAST Software\Avast\GrimeFighter2\control",FALSE,FALSE)?DeleteFile("\??\C:\ProgramData\AVAST Software\Avast\GrimeFighter2\control\settings.dat")?RemoveDir("\??\C:\ProgramData\AVAST Software\Avast\GrimeFighter2\cont Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_15145782296092322@SetupOperations ???I?????I?I?I?J????????$????????????????????????t??????????? ???????E???????????I???????? ??????????????????????????I??????Commited?P???I?I?I?I?I?I????????????????????g????????????????????????????I??????????????????????????%????E??????????????????????????????? ???????E???????????I???????? ??????????????????????????I??????Commited?????I?I?I?I?I?I?I???????????F???????????????????????????????????I???5??????????????d8???????I?????????????????I?????J?J?J?K????????*???????????????????????????????????? ???????E???????????I???????? ??????????????????????????I??????Commited?????I?I?I?I?I?I???????????????????t?i?????????????????t?B???????I???}??????????????????????+????A???????????????????P??????????? ???????E???????????I???????? ??????????????????????????I???a??Reverted?.???I?I?I?I?I?I?I???????????w?????tos???????????N?????tth???????I???????????????????????????I???1???????s?????I?????K?K?K??????-????t??????????????????????????????? ???????E???????????I???????? ??????????????????????????I???i??Commited?????I?I?I?I?I? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_15184803307032326@SetupOperations ???I?????J?J?J?K????????*???????????????????????????????????? ???????E???????????I???????? ??????????????????????????I??????Commited?????I?I?I?I?I?I???????????????????t?i?????????????????t?B???????I???}??????????????????????+????A???????????????????P??????????? ???????E???????????I???????? ??????????????????????????I???a??Reverted?.???I?I?I?I?I?I?I???????????w?????tos???????????N?????tth???????I???????????????????????????I???1???????s?????I?????K?K?K??????-????t??????????????????????????????? ???????E???????????I???????? ??????????????????????????I???i??Commited?????I?I?I?I?I?I?????????????d??????s\???????????g??????sy???????I??????????PC??????????????.???????????????????????????????????? ???????E???????????I???????? ??????????????????????????I???r??Commited?.???I?I?I?I?I?I?I???????????b???????????????????S???????s???????I???x???????????????W???????I???????????s?????I?????L?L?L?L????????3????>??????????????????????????????? ???????E???????????I???????? ??????????????????????????I???.??Reverted?.???I?I?I?I?I? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_15199498692032328@SetupOperations ???I?????K?K?K??????-????t??????????????????????????????? ???????E???????????I???????? ??????????????????????????I???i??Commited?????I?I?I?I?I?I?????????????d??????s\???????????g??????sy???????I??????????PC??????????????.???????????????????????????????????? ???????E???????????I???????? ??????????????????????????I???r??Commited?.???I?I?I?I?I?I?I???????????b???????????????????S???????s???????I???x???????????????W???????I???????????s?????I?????L?L?L?L????????3????>??????????????????????????????? ???????E???????????I???????? ??????????????????????????I???.??Reverted?.???I?I?I?I?I?I?????????????.???????s???????????????????????????I???????????s??????????????5???????????????????????????????????? ???????E???????????I???????? ??????????????????2???????I???(??Commited?o???I?I?I?I?I?I?I?????????????????t???????????????????t?????????I??????????????????0????????M??????????????????3???????????????????????????????????? ???????E???????????I???????? ??????????????????1???????I??????Commited?(???I?I?I?I?I?M?M????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_15227920181252333@SetupOperations ???I?????L?L?L?L????????3????>??????????????????????????????? ???????E???????????I???????? ??????????????????????????I???.??Reverted?.???I?I?I?I?I?I?????????????.???????s???????????????????????????I???????????s??????????????5???????????????????????????????????? ???????E???????????I???????? ??????????????????2???????I???(??Commited?o???I?I?I?I?I?I?I?????????????????t???????????????????t?????????I??????????????????0????????M??????????????????3???????????????????????????????????? ???????E???????????I???????? ??????????????????1???????I??????Commited?(???I?I?I?I?I?M?M?????????????????t?$???????????l?????t?%???????I???6???????????????I???????M???????????s???????????I??????????????MoveFile("\??\C:\Program Files\AVAST Software\Avast\avBBCCC.tmp","\??\C:\Program Files\AVAST Software\Avast\avBugReport.exe",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\AvDBD89.tmp","\??\C:\Program Files\AVAST Software\Avast\AvDump32.exe",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\x64\AvDBDD9.tmp","\??\C:\Pro Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00c2c60ed30e Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA5 0xA4 0x3E 0xFF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA5 0x0C 0x03 0x61 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA5 0x3C 0x7A 0x9D ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x03 0x4C 0x1E 0x6C ... ---- EOF - GMER 2.2 ----