GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-21 17:31:53 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000039 KINGSTON_SM2280S3120G rev.S8FM06.A 111,79GB Running: 7q0l1w53.exe; Driver: C:\Users\Lenovo\AppData\Local\Temp\kxgdrpob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [10900:10264] ffffe0beb4a66c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files\Common Files\McAfee\Platform\Core\mcc482D.tmp??\??\C:\Program Files\McAfee\MSC\mcu68CD.tmp??\??\C:\Program Files\Common Files\McAfee\Platform\mcu6E4C.tmp??\??\C:\Program Files\Common Files\McAfee\Platform\mcb6E6C.tmp??\??\C:\Program Files\Common Files\McAfee\Platform\mcu6E7D.tmp??\??\C:\Program Files\McAfee\MSC\mcm6EBC.tmp??\??\C:\Program Files\McAfee\MSC\McT74FC.tmp??\??\C:\Program Files\McAfee\MSC\McA74FD.tmp??\??\C:\Program Files\McAfee\MSC\mcp75BB.tmp??\??\C:\Program Files\McAfee\MSC\mcd784C.tmp??\??\C:\Program Files\McAfee\MSC\mcm785C.tmp??\??\C:\WINDOWS\Temp\nsj8769.tmp\InstallHelp\PEFInstallHelper.dll??\??\C:\WINDOWS\Temp\nsj8769.tmp\InstallHelp\??\??\C:\WINDOWS\Temp\nsj8769.tmp\??\??\C:\Program Files\McAfee\MSC\SubBB5A.tmp??\??\C:\Program Files\Common Files\McAfee\Platform\McPBCF0.tmp??\??\C:\Program Files\Common Files\McAfee\Platform\mcuBDBC.tmp??\??\C:\Program Files\Common Files\McAfee\Platform\mcsBDCC.tmp??\??\C:\Program Files\Common Files\McAfee\Platform\aleBE3B.tmp??\??\C:\P Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1135323883 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS07570699-e97e-49c0-a7c4-5c1575f6f54a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a434d95da899 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c8-3a-35-38-30-88@AddressCreationTimestamp 0x35 0x2D 0xCA 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c8-3a-35-38-30-88@NatDetectionTimestamp 0x35 0x2D 0xCA 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c8-3a-35-38-30-88@ClientLocalPort 61423 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c8-3a-35-38-30-88@UPnPExternalPort 61423 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c8-3a-35-38-30-88@TeredoAddress 2001:0:9d38:90d7:4d4:1010:2a11:8495 Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\2@Timestamp 0x5F 0x26 0x24 0x78 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SCDEmu Reg HKLM\SYSTEM\CurrentControlSet\Services\SCDEmu@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SCDEmu@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SCDEmu@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SCDEmu@DisplayName SCDEmu Reg HKLM\SYSTEM\CurrentControlSet\Services\SCDEmu Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 943 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 82 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{a7dc28b3-8cca-4afd-8cff-68acefdee815}@Dhcpv6State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x52 0xFA 0x32 0xE2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x52 0x62 0xF7 0x43 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x52 0x92 0x6E 0x80 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\4@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\4@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\5@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\5@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\6@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\6@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\7@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\7@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x21 0x0C 0xAC 0x49 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x21 0x0C 0xAC 0x49 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x21 0x0C 0xAC 0x49 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x21 0x0C 0xAC 0x49 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63607063194847%3bID%3dD7780A0A321B743E!104%3bLR%3d63607379046987%3bEP%3d10%3bSI%3d29%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x31 0x0B 0x04 0x82 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xFE 0xDD 0x7B 0xFC ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 17 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\browsersettings\wininet-internet-explorer@IsLocalReplicaDirty 1 ---- EOF - GMER 2.2 ----