GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-18 17:48:46 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 WDC_WD10EFRX-68PJCN0 rev.82.00A82 931,51GB Running: or4rncw6.exe; Driver: C:\Users\Karol\AppData\Local\Temp\pxldqpod.sys ---- User code sections - GMER 2.2 ---- ? C:\Program Files\EslWire\service\WireHelperSvc.exe [1976] entry point in ".vmp1" section 00007ff7942278ce ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [624:684] fffff96048114030 Thread C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe [9156:4412] 00007ff9b2353110 Thread C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe [9156:4944] 00007ff9c7e77bd0 Thread C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe [9156:8644] 00007ff9c5708f90 Thread C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe [9156:160] 00007ff9bdcdb530 Thread C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe [9156:5348] 00007ff9c0e4e200 Thread C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe [9156:3652] 00007ff9c570a090 Thread C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe [9156:8500] 00007ff9c5bac1a0 Thread C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe [9156:5440] 00007ff9c7e77bd0 Thread C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe [9156:2800] 00007ff9bda76a00 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 741641230 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{71170c8c-5b0f-4210-ac8d-3ef804bd51b8}@LeaseObtainedTime 1471532024 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{71170c8c-5b0f-4210-ac8d-3ef804bd51b8}@T1 1471532299 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{71170c8c-5b0f-4210-ac8d-3ef804bd51b8}@T2 1471532524 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{71170c8c-5b0f-4210-ac8d-3ef804bd51b8}@LeaseTerminatesTime 1471532624 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xE2 0xC1 0xE0 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xE2 0x29 0xA5 0x2B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xE2 0x59 0x1C 0x68 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x45 0x60 0x65 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Steam\Steam.exe?Chrome? ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a2d148dafbe8f7831e54166256b36261_e38bcd20-fe4b-49bd-a544-2384817e5d2b 2246 bytes ---- EOF - GMER 2.2 ----