GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-29 22:37:44 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000033 HGST_HTS545050A7E680 rev.GR2OA350 465,76GB Running: kshwtrh4.exe; Driver: C:\Users\HP250~1\AppData\Local\Temp\pgldipob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2520] entry point in ".rdata" section 0000000073cd8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2556] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [4232] entry point in ".rdata" section 0000000073cd8fc0 ? C:\Windows\System32\iertutil.dll [4232] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [5764] entry point in ".rdata" section 00000000700ec940 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4888] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [4888] entry point in ".rdata" section 00000000700ec940 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4888] entry point in ".rdata" section 0000000069e1a020 ? C:\Windows\System32\OneCoreUAPCommonProxyStub.dll [4888] entry point in ".rdata" section 0000000054907ec0 ? C:\WINDOWS\system32\ncryptsslp.dll [4888] entry point in ".rdata" section 00000000590104f0 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [5524] entry point in ".rdata" section 00000000700ec940 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5524] entry point in ".rdata" section 0000000073cd8fc0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5524] entry point in ".rdata" section 0000000069e1a020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5524] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5748] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5748] entry point in ".rdata" section 0000000073cd8fc0 ? C:\WINDOWS\system32\apphelp.dll [5748] entry point in ".rdata" section 000000006e5bf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7008] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6760] entry point in ".rdata" section 0000000073cd8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [1660] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6792] entry point in ".rdata" section 0000000073cd8fc0 .text C:\Program Files\CCleaner\CCleaner64.exe[4300] C:\WINDOWS\System32\win32u.dll!NtUserShowScrollBar 00007ffbf12f1830 5 bytes JMP 00007ffb71310018 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7708] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\system32\apphelp.dll [8440] entry point in ".rdata" section 000000006e5bf7c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6308] entry point in ".rdata" section 0000000073cd8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6308] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6368] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\system32\apphelp.dll [4716] entry point in ".rdata" section 000000006e5bf7c0 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [9556] entry point in ".rdata" section 00000000700ec940 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [9556] entry point in ".rdata" section 0000000073cd8fc0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [9556] entry point in ".rdata" section 0000000069e1a020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9556] entry point in ".rdata" section 000000006f2400e0 ? C:\WINDOWS\system32\apphelp.dll [9436] entry point in ".rdata" section 000000006e5bf7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [672:968] ffffabaa5d776c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 366917804 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c03896867d60 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x1E 0x5B 0x23 0x88 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x1E 0xC3 0xE7 0xE9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x1E 0xF3 0x5E 0x26 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds E7CF176E110C211B?{6D809377-6AF0-444B-8957-A3773F02200E}\CCleaner\CCleaner64.exe?{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Winamp\winamp.exe? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0xE8 0x77 0x39 0x80 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}@LastAccessedTime 0xB0 0x93 0x29 0x40 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}@LaunchCount 31 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{6DC2E12C-299C-4E09-8308-E570462E4899} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{6DC2E12C-299C-4E09-8308-E570462E4899}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{6DC2E12C-299C-4E09-8308-E570462E4899}@Path C:\Users\hp 250\Desktop\Nowy folder (3)\20160724_181412.mp4 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{6DC2E12C-299C-4E09-8308-E570462E4899}@DisplayName 20160724_181412.mp4 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{6DC2E12C-299C-4E09-8308-E570462E4899}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{6DC2E12C-299C-4E09-8308-E570462E4899}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C3A1A702-EDF9-4357-9CFE-B887C913B780} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C3A1A702-EDF9-4357-9CFE-B887C913B780}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C3A1A702-EDF9-4357-9CFE-B887C913B780}@Path G:\Filmy tymczasowe\01.05.2014\Anatomia.zla.2015.PL.480p-K12 [AgusiQ]\Anatomia.zla.2015.PL.480p.WEB-DL.XViD.AC3-K12.avi Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C3A1A702-EDF9-4357-9CFE-B887C913B780}@DisplayName Anatomia.zla.2015.PL.480p.WEB-DL.XViD.AC3-K12.avi Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C3A1A702-EDF9-4357-9CFE-B887C913B780}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C3A1A702-EDF9-4357-9CFE-B887C913B780}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C77F6ADF-B02F-461D-833B-ED1D90B9CE8B} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C77F6ADF-B02F-461D-833B-ED1D90B9CE8B}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C77F6ADF-B02F-461D-833B-ED1D90B9CE8B}@Path F:\torrenty\King.Kong.2005.PL.DVDRip.XviD-A4O\a4o-kkplb.avi Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C77F6ADF-B02F-461D-833B-ED1D90B9CE8B}@DisplayName a4o-kkplb.avi Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C77F6ADF-B02F-461D-833B-ED1D90B9CE8B}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{7CBCFC46-550A-48AD-B0B5-9D3B1BF77E37}\RecentItems\{C77F6ADF-B02F-461D-833B-ED1D90B9CE8B}@Points 0x00 0x00 0x00 0x00 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----