GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-25 08:16:42 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f WDC_WD10JPVX-60JC3T0 rev.01.01A01 931,51GB Running: r8c99wl7.exe; Driver: C:\Users\gregrc\AppData\Local\Temp\pgndrfow.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\system32\wbem\wbemsvc.dll [2304] entry point in ".rdata" section 00000000726c8fa0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [4352] entry point in ".rdata" section 0000000071a0bd10 ? C:\Windows\SYSTEM32\iertutil.dll [5528] entry point in ".rdata" section 00000000708912d0 ? C:\Windows\system32\wbem\wbemsvc.dll [5552] entry point in ".rdata" section 00000000726c8fa0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [5552] entry point in ".rdata" section 0000000071a0bd10 ? C:\Windows\system32\wbem\wbemsvc.dll [1636] entry point in ".rdata" section 00000000726c8fa0 ? C:\Windows\SYSTEM32\NTASN1.dll [1636] entry point in ".rdata" section 00000000678cbb10 ? C:\Windows\SYSTEM32\iertutil.dll [1636] entry point in ".rdata" section 00000000708912d0 ? C:\Windows\SYSTEM32\NTASN1.dll [688] entry point in ".rdata" section 00000000678cbb10 ? C:\Windows\system32\apphelp.dll [1176] entry point in ".rdata" section 0000000071e00380 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [660:716] fffff960a9514030 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xAC 0xA7 0x4B 0x94 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x1A 0x17 0xEF 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 25 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SDC4E510_00_07DE_56^98C754A4B7F5086D37238434B6F3DDE1@Timestamp 0xF4 0xF4 0x97 0x94 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 800 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1752701075 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID d0016276-25cd-415e-9460-01c8e43 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{4297c0a1-c1d0-418b-a927-271257900409} Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\48e244a203de Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{8a55140c-c142-4321-99dc-38e6417eea0c}@LastProbeTime 1474790223 Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-15-6d-8b-96-70@AddressCreationTimestamp 0x8C 0xF5 0xF7 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_438b5\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_438b5\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_438b5\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_438b5\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_438b5\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_438b5\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_438b5\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_438b5\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_438b5\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_438b5\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_438b5\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_438b5\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_438b5\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?niedz.?, ?wrz ?25 ?16, 07:58:17 AM???????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1185 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 111 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 23 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 108 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6e21d66d-728b-4ce0-9894-2dc160e4d155}@LeaseObtainedTime 1474783003 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6e21d66d-728b-4ce0-9894-2dc160e4d155}@T1 1474797403 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6e21d66d-728b-4ce0-9894-2dc160e4d155}@T2 1474808203 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6e21d66d-728b-4ce0-9894-2dc160e4d155}@LeaseTerminatesTime 1474811803 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_438b5\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_438b5\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_438b5\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_438b5\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xCB 0x61 0x47 0xBB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xCB 0xC9 0x0B 0x1D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xCB 0xF9 0x82 0x59 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----