GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-20 13:17:14 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-6 WDC_WD5003AZEX-00K1GA0 rev.80.00A80 465,76GB Running: o4cs25nn.exe; Driver: C:\Users\Admin\AppData\Local\Temp\pxldrpoc.sys ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [468:892] fffff960009692d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x3B 0xB4 0xEC 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xEE 0x78 0xF1 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 118 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\GSM597C311NDJX81268_0B_07DD_6E^A283C773DA1FC5184B57D76B5E3E4AF0@Timestamp 0xD1 0xB9 0x6D 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 2106872727 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 638ef948-064b-41de-8d03-ce458f7 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{0e914dc4-1240-4033-89fe-fafb6dae3cd1} Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{e50c3c6c-69d4-43af-ba59-9e68370ed5ba}@LastProbeTime 1468625713 Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastSqmLog 0x92 0x4E 0xCE 0x85 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PEAUTH\Parameters\Wdf@TimeOfLastSqmLog 0xE0 0x9C 0x55 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ??r?, ?lip ?20 ?16, 04:00:49??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 9285 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 4594 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 120 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2EBC2FE4-6F88-40F7-8CEC-5858082DE03E}@LeaseObtainedTime 1469005287 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2EBC2FE4-6F88-40F7-8CEC-5858082DE03E}@T1 1469007087 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2EBC2FE4-6F88-40F7-8CEC-5858082DE03E}@T2 1469008437 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2EBC2FE4-6F88-40F7-8CEC-5858082DE03E}@LeaseTerminatesTime 1469008887 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 641 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList@MRUList acb Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\iexplore@Count 41 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{553891B7-A0D5-4526-BE18-D3CE461D6310}\iexplore@Count 41 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0x30 0xEE 0x7B 0x2F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications@MobileBroadbandLastResetDate 0x2B 0xB5 0x69 0xFB ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0x09 0x29 0x27 0xFB ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified 0x80 0x9F 0x57 0xFB ... Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\Users\Admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppHang_explorer.exe_26b1c77271d980237d45e74a252bf73d598c10_f9ec8dbb_1c8c4e00 ---- Files - GMER 2.2 ---- File C:\Windows\WinSxS\wow64_microsoft-windows-gwx_31bf3856ad364e35_6.3.9600.18409_none_abe6b2d75e54202b 0 bytes File C:\Windows\WinSxS\wow64_microsoft-windows-gwx_31bf3856ad364e35_6.3.9600.18409_none_abe6b2d75e54202b\GWX.exe 456704 bytes executable File C:\Windows\WinSxS\amd64_microsoft-windows-gwx-uninstall_31bf3856ad364e35_6.3.9600.18409_none_9e4c2eb0cf223939 0 bytes File C:\Windows\WinSxS\amd64_microsoft-windows-gwx-uninstall_31bf3856ad364e35_6.3.9600.18409_none_9e4c2eb0cf223939\GWXGC.exe 24576 bytes executable ---- EOF - GMER 2.2 ----