GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-20 18:11:47 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000024 ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: 2n8dde8t.exe; Driver: C:\Users\Natalka\AppData\Local\Temp\fxlyrpog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff9600023b200 15 bytes [00, 28, F6, 01, 80, 1C, 6C, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff9600023b210 11 bytes [00, 0E, FC, FF, 00, 05, C4, ...] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [3992:8672] fffff960008632d0 ---- Services - GMER 2.2 ---- Service C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe (*** hidden *** ) [MANUAL] Disc Soft Lite Bus Service <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 709935811 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\acd1b8e75c98 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\acd1b8e75c98@18002d5e5c67 0xE1 0xB4 0xF6 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\acd1b8e75c98@5cb52441ba3d 0xEA 0x6F 0x75 0xF6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\acd1b8e75c98@08fc8837452c 0xAC 0x1B 0x3B 0x8E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@ImagePath "C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe" Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@DisplayName Disc Soft Lite Bus Service Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@DependOnService RPCSS? Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 25594 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 11706 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\OpenWithProgids@DAEMON.Tools.Lite Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\UserChoice@Hash sWeFQgBkFao= Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\UserChoice@ProgId DAEMON.Tools.Lite Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mdf\OpenWithProgids@DAEMON.Tools.Lite Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mdf\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU@MRUList ba Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband@FavoritesChanges 39 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@DAEMON Tools Lite Automount "C:\Program Files\DAEMON Tools Lite\DTAgent.exe" -autorun ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----