GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-11 23:20:32 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: 1dy5yljk.exe; Driver: C:\Users\KLAKIA\AppData\Local\Temp\uwkoypob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [3724] entry point in ".rdata" section 000000006ca60380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [648:752] fffff9604dd84060 Thread C:\WINDOWS\system32\svchost.exe [852:972] 00007ffcb742a8a0 Thread C:\WINDOWS\system32\svchost.exe [852:976] 00007ffcb7429c70 Thread C:\WINDOWS\system32\svchost.exe [852:76] 00007ffcb6fe8d90 Thread C:\WINDOWS\system32\svchost.exe [496:3276] 00007ffcae924ba0 Thread C:\WINDOWS\system32\svchost.exe [496:3280] 00007ffcac451a50 Thread C:\WINDOWS\system32\svchost.exe [496:5436] 00007ffc9f91eb60 Thread C:\WINDOWS\system32\svchost.exe [496:5524] 00007ffc9f771040 Thread C:\WINDOWS\system32\svchost.exe [496:5540] 00007ffca9ed4c50 Thread C:\WINDOWS\system32\svchost.exe [496:5536] 00007ffca9ed4c50 Thread C:\WINDOWS\system32\svchost.exe [496:5612] 00007ffcab3cc040 Thread C:\WINDOWS\system32\svchost.exe [496:5616] 00007ffcab3cc040 Thread C:\WINDOWS\system32\svchost.exe [496:5672] 00007ffcab3cc040 Thread C:\WINDOWS\system32\svchost.exe [496:5740] 00007ffc9a1c09b0 Thread C:\WINDOWS\system32\svchost.exe [496:6108] 00007ffc9a1c09b0 Thread C:\WINDOWS\system32\svchost.exe [496:5488] 00007ffcad012750 Thread C:\WINDOWS\system32\svchost.exe [496:2920] 00007ffc9a1c09b0 Thread C:\WINDOWS\system32\svchost.exe [496:5364] 00007ffc97d7c480 Thread C:\WINDOWS\system32\svchost.exe [496:5372] 00007ffc97d7c480 Thread C:\WINDOWS\system32\svchost.exe [496:5824] 00007ffc97d7c480 Thread C:\WINDOWS\system32\svchost.exe [496:5828] 00007ffc97d58640 Thread C:\WINDOWS\system32\svchost.exe [496:3008] 00007ffc97d7c480 Thread C:\WINDOWS\system32\svchost.exe [496:3656] 00007ffc9a1c09b0 Thread C:\WINDOWS\system32\svchost.exe [496:4272] 00007ffc9b16be40 Thread C:\WINDOWS\system32\svchost.exe [652:1760] 00007ffcb0863780 Thread C:\WINDOWS\system32\svchost.exe [652:1968] 00007ffcafd24530 Thread C:\WINDOWS\system32\svchost.exe [652:2412] 00007ffcad859670 Thread C:\WINDOWS\system32\svchost.exe [652:2696] 00007ffcb7b36b60 Thread C:\WINDOWS\system32\svchost.exe [652:3080] 00007ffcad855a40 Thread C:\WINDOWS\system32\svchost.exe [652:4888] 00007ffcad84e0e0 Thread C:\WINDOWS\system32\svchost.exe [1120:2496] 00007ffcad396aa0 Thread C:\WINDOWS\system32\svchost.exe [1120:2500] 00007ffcad39b0c0 Thread C:\WINDOWS\system32\svchost.exe [1120:3772] 00007ffcae391240 Thread C:\WINDOWS\system32\svchost.exe [1120:3776] 00007ffca9fd9490 Thread C:\WINDOWS\system32\svchost.exe [1120:3792] 00007ffca9df29b0 Thread C:\WINDOWS\system32\svchost.exe [1120:2640] 00007ffca4a03d30 Thread C:\WINDOWS\system32\svchost.exe [1120:5376] 00007ffca4a022b0 Thread C:\WINDOWS\System32\svchost.exe [1260:1520] 00007ffcb2bbb450 Thread C:\WINDOWS\System32\svchost.exe [1260:1604] 00007ffcb1ab8e30 Thread C:\WINDOWS\System32\svchost.exe [1260:1628] 00007ffcb19a10a0 Thread C:\WINDOWS\System32\svchost.exe [1260:1640] 00007ffcb16454a0 Thread C:\WINDOWS\System32\svchost.exe [1260:2248] 00007ffcaead4440 Thread C:\WINDOWS\System32\svchost.exe [1260:2692] 00007ffcae994460 Thread C:\WINDOWS\System32\svchost.exe [1260:2700] 00007ffcae9971f0 Thread C:\WINDOWS\System32\svchost.exe [1260:2708] 00007ffcaead4440 Thread C:\WINDOWS\System32\svchost.exe [1260:3124] 00007ffcb0881670 Thread C:\WINDOWS\System32\svchost.exe [1260:4256] 00007ffc9afd9d60 Thread C:\WINDOWS\System32\svchost.exe [1260:5072] 00007ffc9afd2450 Thread C:\WINDOWS\System32\svchost.exe [1260:5404] 00007ffcb1641dd0 Thread C:\WINDOWS\System32\svchost.exe [1260:4664] 00007ffcb1641620 Thread C:\WINDOWS\system32\svchost.exe [1612:5644] 00007ffcab3cc040 Thread C:\WINDOWS\Explorer.EXE [4716:3380] 00007ffcb8123db0 Thread C:\WINDOWS\Explorer.EXE [4716:4496] 00007ffcaead4440 Thread C:\WINDOWS\Explorer.EXE [4716:4660] 00007ffc9dc11c40 Thread C:\WINDOWS\Explorer.EXE [4716:5892] 00007ffc9bbf0250 Thread C:\WINDOWS\Explorer.EXE [4716:1784] 00007ffcb33f9230 Thread C:\WINDOWS\Explorer.EXE [4716:3376] 00007ffc9b5227a0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:1992] 00007ffcb8e38f90 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:4184] 00007ffcb1f4b530 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:2848] 00007ffcb31ee200 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:3592] 00007ffcb8e38f90 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:3596] 00007ffcb1f4b530 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:2208] 00007ffcaf6afc00 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:2232] 00007ffcb8e38f90 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:2228] 00007ffcb1f4b530 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:3424] 00007ffcaf6afc00 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:1372] 00007ffcb1d65530 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:1980] 00007ffcb1d65530 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:5204] 00007ffcb8e38f90 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:5208] 00007ffcb1f4b530 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [5076:184] 00007ffcaf6afc00 Thread C:\WINDOWS\system32\backgroundTaskHost.exe [5556:5184] 00007ffcb31ee200 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1214560890 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA1 0xBE 0x12 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA1 0x26 0xD7 0x98 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA1 0x56 0x4E 0xD5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x1D 0xB2 0x13 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ...