GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-01 11:07:32 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 ST1000LM024_HN-M101MBB rev.2AR10001 931,51GB Running: rpbpp8mg.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\kxtdrpoc.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [748:776] fffff961d6b14060 Thread C:\WINDOWS\system32\svchost.exe [356:2164] 00007ffd65069670 Thread C:\WINDOWS\system32\svchost.exe [356:2684] 00007ffd63124530 Thread C:\WINDOWS\system32\svchost.exe [356:3320] 00007ffd6d636b60 Thread C:\WINDOWS\system32\svchost.exe [356:4036] 00007ffd65065a40 Thread C:\WINDOWS\system32\svchost.exe [356:4700] 00007ffd6505e0e0 Thread C:\WINDOWS\System32\svchost.exe [1324:1612] 00007ffd69b1b450 Thread C:\WINDOWS\System32\svchost.exe [1324:1768] 00007ffd66cf8e30 Thread C:\WINDOWS\System32\svchost.exe [1324:1784] 00007ffd66ae10a0 Thread C:\WINDOWS\System32\svchost.exe [1324:1792] 00007ffd668554a0 Thread C:\WINDOWS\System32\svchost.exe [1324:2952] 00007ffd630b4440 Thread C:\WINDOWS\System32\svchost.exe [1324:3552] 00007ffd62ed4460 Thread C:\WINDOWS\System32\svchost.exe [1324:3560] 00007ffd62ed71f0 Thread C:\WINDOWS\System32\svchost.exe [1324:3564] 00007ffd630b4440 Thread C:\WINDOWS\System32\svchost.exe [1324:3760] 00007ffd628f1670 Thread C:\WINDOWS\System32\svchost.exe [1324:5296] 00007ffd4ca19d60 Thread C:\WINDOWS\System32\svchost.exe [1324:7048] 00007ffd4ca12450 Thread C:\WINDOWS\system32\svchost.exe [1548:2144] 00007ffd650e6aa0 Thread C:\WINDOWS\system32\svchost.exe [1548:2148] 00007ffd650eb0c0 Thread C:\WINDOWS\system32\svchost.exe [1548:3104] 00007ffd621e1240 Thread C:\WINDOWS\system32\svchost.exe [1548:3108] 00007ffd62209490 Thread C:\WINDOWS\system32\svchost.exe [1548:3116] 00007ffd621b29b0 Thread C:\WINDOWS\system32\svchost.exe [1548:1248] 00007ffd5f8c3d30 Thread C:\WINDOWS\system32\svchost.exe [1548:6736] 00007ffd5f8c22b0 Thread C:\WINDOWS\System32\spoolsv.exe [1812:3172] 00007ffd63a16320 Thread C:\WINDOWS\System32\spoolsv.exe [1812:3176] 00007ffd638729a0 Thread C:\WINDOWS\System32\spoolsv.exe [1812:3200] 00007ffd62191180 Thread C:\WINDOWS\System32\spoolsv.exe [1812:3204] 00007ffd622ecd90 Thread C:\WINDOWS\system32\conhost.exe [824:1876] 00007ffd5f679b40 Thread C:\WINDOWS\system32\conhost.exe [824:896] 00007ffd5f672e90 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3992:5228] 00007ffd6af7e200 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3992:4864] 00007ffd6084fc00 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3992:5608] 00007ffd6084fc00 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3992:3404] 00007ffd6084fc00 Thread C:\WINDOWS\system32\ApplicationFrameHost.exe [3532:220] 00007ffd6f008f90 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 718074133 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\20689d9daf98 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 9099 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1879 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x1C 0xBD 0x7F 0xDD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x1C 0x25 0x44 0x3F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x1C 0x55 0xBB 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x5B 0xA5 0x28 0x02 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList@MRUList fgajdhibc Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE7CD045-E861-484F-8273-0445EE161910}\iexplore@Count 145 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----