GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-11 14:00:58 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WL500GSA1672B rev.18.01H18 465,76GB Running: gmer.exe; Driver: C:\Users\BIURO_~1\AppData\Local\Temp\agloipoc.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x82161830] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x82161870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x821618B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x821617F0] ---- Kernel code sections - GMER 2.2 ---- .text ntoskrnl.exe!ExfUnblockPushLock + 1549 8199B65D 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 602 8199FDE2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET Endpoint Security\ekrn.exe[2440] KERNEL32.DLL!SetUnhandledExceptionFilter 77569570 4 Bytes [C2, 04, 00, 00] ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 volume.sys ---- Threads - GMER 2.2 ---- Thread System [4:1632] 97CBD340 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -844401666 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5374 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xB6 0xDD 0xC1 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xB6 0x45 0x86 0xC1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xB6 0x75 0xFD 0xFD ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LastSuccessfulUploadTime 0x6A 0xB2 0x81 0x48 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LastFreeNetworkLossTime 0x9E 0x85 0x86 0x3D ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LastConnectivityHeartBeatTime 0xEF 0xF9 0x06 0x41 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Default@LastHeartBeatTime 0x96 0x3F 0x7C 0xAE ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests@LastDownloadTime 0x56 0x9A 0x88 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\TELEMETRY.ASM-WINDOWSSQ@LastDownloadTime 0x18 0x22 0x27 0xFB ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\WINDOWS.DIAGNOSTICS@ETag 30:66A2A38603EE9D2B::2EF0E62828 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\WINDOWS.DIAGNOSTICS@LastDownloadTime 0x51 0x4A 0xDD 0x2C ... Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x86_1d6b65f0c1b671f84a99e2b9e9d9e7e81e2ec89_00000000_09c8920a Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@F524FD48 19 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4030737862-48352174-3639878373-1007@RefCount 12 ---- EOF - GMER 2.2 ----