GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-27 15:53:00 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000032 TS128GSSD370S rev.O1225G 119,24GB Running: ddorqb0y.exe; Driver: C:\Users\Jakub\AppData\Local\Temp\kxldqpow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000116400 15 bytes [C0, 37, EE, 01, 40, A7, 69, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff96000116410 11 bytes [00, 14, FC, FF, 00, 84, D5, ...] ---- Devices - GMER 2.2 ---- Device \Driver\cpuz140 \Device\cpuz140 fffff801867ee5b0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [588:612] fffff960009462d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x8B 0x73 0x10 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x8B 0x73 0x10 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x74 0xE2 0x37 0x13 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x74 0xE2 0x37 0x13 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-GB 65 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\IVM562E1132561821971_12_07E0_D2^2F78704922FA991F54D6FEE2098B05B3@Timestamp 0x9B 0x23 0x11 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 660 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 640832217 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 28f2d31c-30c7-4eb4-be9f-5424604 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{cc42b96f-20de-4a0e-948e-f9a784968506} Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00116779452b Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00116779452b@fc58fa6b06fc 0x26 0x3F 0x1A 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00116779452b@7cf90e3d1930 0xCB 0xB4 0x7C 0x3A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{9e89f707-bb41-4672-85ad-28714b1829a2}@LastProbeTime 1477582550 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{e0abe4da-379c-4912-af6a-0756d8cf669c}@LastProbeTime 1477578337 Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{4486C045-8D20-4754-AEDF-2B6345E65BE8}@DefunctTimestamp 0xB6 0x02 0x12 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Thu?, ?Oct ?27 ?16, 03:36:14 PM??`???????`???????????????`???? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3653 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 657 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 67 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2699C06E-AD45-403C-96E5-A06039587EF6}@LeaseObtainedTime 1477575349 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2699C06E-AD45-403C-96E5-A06039587EF6}@T1 1477578949 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2699C06E-AD45-403C-96E5-A06039587EF6}@T2 1477581649 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2699C06E-AD45-403C-96E5-A06039587EF6}@LeaseTerminatesTime 1477582549 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E775B620-2612-4588-8435-477705EF6006}@LeaseObtainedTime 1477575350 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E775B620-2612-4588-8435-477705EF6006}@T1 1493343350 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E775B620-2612-4588-8435-477705EF6006}@T2 1505169350 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E775B620-2612-4588-8435-477705EF6006}@LeaseTerminatesTime 1509111350 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xF3 0x4F 0xB3 0x0B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xF3 0x4F 0xB3 0x0B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xF3 0x4F 0xB3 0x0B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xF3 0x4F 0xB3 0x0B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63612850650570%3bID%3d62D9C424D4938120!103%3bLR%3d63613172158303%3bEP%3d13%3bSI%3d80%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----