GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2018-06-01 16:13:17 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 ST1000LX015-1U7172 rev.SDM1 931,51GB Running: so3rnnqc.exe; Driver: C:\Users\Dom\AppData\Local\Temp\fxldrpoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5700] C:\Windows\system32\KERNEL32.DLL!BaseThreadInitThunk 00007ffa7aaf13b0 13 bytes {MOV R11, 0x7ffa6abee400; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5700] C:\Windows\system32\KERNEL32.DLL!SetUnhandledExceptionFilter 00007ffa7aaf47d0 13 bytes {MOV R11, 0x7ffa55697bbc; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5700] C:\Windows\system32\user32.dll!SendMessageTimeoutW 00007ffa7ac34300 13 bytes {MOV R11, 0x7ffa556618b0; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5700] C:\Windows\system32\user32.dll!GetWindowInfo 00007ffa7ac3c420 13 bytes {MOV R11, 0x7ffa555463d8; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[3448] C:\Windows\system32\KERNEL32.DLL!BaseThreadInitThunk 00007ffa7aaf13b0 13 bytes {MOV R11, 0x7ffa6abee400; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[1112] C:\Windows\system32\KERNEL32.DLL!BaseThreadInitThunk 00007ffa7aaf13b0 13 bytes {MOV R11, 0x7ffa6abee400; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[2712] C:\Windows\system32\KERNEL32.DLL!BaseThreadInitThunk 00007ffa7aaf13b0 13 bytes {MOV R11, 0x7ffa6abee400; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[6156] C:\Windows\system32\KERNEL32.DLL!BaseThreadInitThunk 00007ffa7aaf13b0 13 bytes {MOV R11, 0x7ffa6abee400; JMP R11} .text C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7252] C:\Windows\system32\KERNEL32.DLL!BaseThreadInitThunk 00007ffa7aaf13b0 13 bytes {MOV R11, 0x7ffa6abee400; JMP R11} ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [588:612] fffff9600083c2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x72 0xDF 0x80 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xAE 0x54 0x62 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x72 0xDF 0x80 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xAE 0x54 0x62 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 1764 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN15B80_30_07DD_1E^C9C97A340D5BF5605CF6CBC063B7712E@Timestamp 0x57 0x3C 0xFF 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 700 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6D336D54-27DC-4AA3-B1E7-080D93903312}\Connection@Name Reusable ISATAP Interface {6D336D54-27DC-4AA3-B1E7-080D93903312} Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3901767 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1893266202 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 1789 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 536624858 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 5284 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 5266 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID eeda6bec-1e1f-46ec-b693-4fd43a1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Enum@NextParentID.1ecce971.6 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\d0534969e5c3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\d0534969e5c3@e4e0c5df957e 0x8E 0x44 0x7F 0x60 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\d0534969e5c3@b0d09c281628 0x7C 0x46 0x17 0x77 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\d0534969e5c3@00e3b201cccf 0x85 0x00 0xBC 0x72 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\d0534969e5c3@18219586c7a4 0x74 0x9D 0x7C 0xFD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\d0534969e5c3@14dda93fc650 0x3E 0xE4 0x92 0x1E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\d0534969e5c3@149d09ff5b1c 0x59 0x85 0x3D 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{c16ca3b6-cc09-420c-8438-c19901dff15e}@LastProbeTime 1527818329 Reg HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Chrome@CategoryMessageFile C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.139\eventlog_provider.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Chrome@EventMessageFile C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.139\eventlog_provider.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Chrome@ParameterMessageFile C:\Program Files (x86)\Google\Chrome\Application\66.0.3359.139\eventlog_provider.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\HidUsb@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\HidUsb@DisplayName @oem27.inf,%HID.SvcDesc%;Microsoft HID Class Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\HidUsb@Owners oem27.inf?input.inf? Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{6D336D54-27DC-4AA3-B1E7-080D93903312}@InterfaceName Reusable ISATAP Interface {6D336D54-27DC-4AA3-B1E7-080D93903312} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{6D336D54-27DC-4AA3-B1E7-080D93903312}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\39@Timestamp 0x6B 0x9F 0xAD 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?cze ?01 ?18, 02:01:20??????*???????*???????????????*???? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 13568 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 7407 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 1785 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB892A38-E676-4915-B220-FD083A2D9594}@DhcpIPAddress 192.168.1.100 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB892A38-E676-4915-B220-FD083A2D9594}@LeaseObtainedTime 1527811103 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB892A38-E676-4915-B220-FD083A2D9594}@T1 1527812903 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB892A38-E676-4915-B220-FD083A2D9594}@T2 1527814253 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB892A38-E676-4915-B220-FD083A2D9594}@LeaseTerminatesTime 1527814703 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----