GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-03 19:32:01 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000032 ST1000LM014-SSHD-8GB rev.LVD4 931,51GB Running: rmq2tm48.exe; Driver: C:\Users\Robert\AppData\Local\Temp\kwrdqpoc.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [740:856] ffffd2a7059a6c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -304335038 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\34e6adeee5e8 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x05 0xA5 0x1C 0x6A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x05 0x0D 0xE1 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x05 0x3D 0x58 0x08 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:4D454930-0100-1000-8001-8CC12115DC3F\Interfaces\{d0875fb4-2196-4c7a-a63d-e416addd60a1}\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x02 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:4D454930-0100-1000-8001-8CC12115DC3F\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x02 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 84 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8664889D-ED18-4713-918F-E2BB69D8452B}\iexplore@Count 549 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 482 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 17875 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 750 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x72 0x57 0x64 0x78 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x72 0x57 0x64 0x78 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x72 0x57 0x64 0x78 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 18655 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 247 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x72 0x57 0x64 0x78 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63613793023937%3bID%3d4B0F291EF1543EE6!109%3bLR%3d63613793820650%3bEP%3d13%3bSI%3d21%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x72 0x80 0x96 0x9D ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xC3 0xF5 0xD6 0xD9 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\68c5c24f@NotificationsCount 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\a2e35824@NotificationsCount 5 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe 0x54 0xA1 0xE4 0xAA ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x3F 0x11 0xB0 0x5B ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C3A67596-11DD-43E2-AC47-912C7062CF51}@LastAccessedTime 0xF0 0x20 0xE2 0xAA ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C3A67596-11DD-43E2-AC47-912C7062CF51}@LaunchCount 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C3A67596-11DD-43E2-AC47-912C7062CF51}\RecentItems\{0A600275-1FF9-4D1F-A4E9-B45F137F9E76} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C3A67596-11DD-43E2-AC47-912C7062CF51}\RecentItems\{0A600275-1FF9-4D1F-A4E9-B45F137F9E76}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C3A67596-11DD-43E2-AC47-912C7062CF51}\RecentItems\{0A600275-1FF9-4D1F-A4E9-B45F137F9E76}@Path C:\Program Files\Office 2016 KMS Activator Ultimate v1.1 Final\Readme.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C3A67596-11DD-43E2-AC47-912C7062CF51}\RecentItems\{0A600275-1FF9-4D1F-A4E9-B45F137F9E76}@DisplayName Readme.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C3A67596-11DD-43E2-AC47-912C7062CF51}\RecentItems\{0A600275-1FF9-4D1F-A4E9-B45F137F9E76}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C3A67596-11DD-43E2-AC47-912C7062CF51}\RecentItems\{0A600275-1FF9-4D1F-A4E9-B45F137F9E76}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EC055A3F-0424-4702-A0D2-8A6CDDE6C811}@LastAccessedTime 0x70 0x96 0xCD 0x0B ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EC055A3F-0424-4702-A0D2-8A6CDDE6C811}@LaunchCount 2 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting@LastRateLimitedDumpGenerationTime 0x6A 0x28 0xF9 0x4E ... Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppHang_WINWORD.EXE_d110c2f73762eb2ac6ebc3678284371f6be1f32_f9b6eda7_14c4e089 Reg HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BackgroundModel\PreInstallTasks\RequireReschedule\Microsoft.WindowsMaps_8wekyb3d8bbwe@RetryRemaining 5 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----