GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-17 21:44:29 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000043 HGST_HTS721010A9E630 rev.JB0OA3J0 931,51GB Running: 975g1inx.exe; Driver: C:\Users\MSI\AppData\Local\Temp\pxldipob.sys ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Defender\MsMpEng.exe [2404:9712] 00007ffab2e5a2a0 Thread C:\Program Files\Windows Defender\MsMpEng.exe [2404:888] 00007ffab2e5a2a0 Thread C:\WINDOWS\system32\csrss.exe [14148:8684] ffff821bfc8c6c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD046F0_00_07DE_92^64436E4E88F8976B47D503DD8EF385B5@Timestamp 0x9F 0xF7 0x90 0x9A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1547195615 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\94659cc0b3b2 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8501 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2077 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x07 0xD2 0x29 0x73 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x07 0x3A 0xEE 0xD4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x07 0x6A 0x65 0x11 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\10@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\10@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\11@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\11@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\4@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\4@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\5@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\5@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\6@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\6@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\7@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\7@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\8@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\8@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\9@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\9@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\MMDEVAPI\{0.0.0.00000000}.{1347E402-10BB-47EE-BF65-8CCA4127BC56}\Interfaces\{e6327cad-dcec-4949-ae8a-991e976a79d2}\Properties\{a2a3fff4-353f-407c-9d86-1f9dc7d5a606}\0002@ 0x64 0x62 0x02 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 581 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome 0xF0 0x68 0x12 0xE9 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe 0xC1 0x2E 0x7A 0xD6 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{4D3D3EBE-F5BB-4925-90D7-E00C866399F3} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{4D3D3EBE-F5BB-4925-90D7-E00C866399F3}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{4D3D3EBE-F5BB-4925-90D7-E00C866399F3}@Path C:\Users\MSI\Desktop\dla picasso\FRST.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{4D3D3EBE-F5BB-4925-90D7-E00C866399F3}@DisplayName FRST.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{4D3D3EBE-F5BB-4925-90D7-E00C866399F3}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{4D3D3EBE-F5BB-4925-90D7-E00C866399F3}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{BEA40EB6-4063-4BDF-BF21-B491BBDF9B80} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{BEA40EB6-4063-4BDF-BF21-B491BBDF9B80}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{BEA40EB6-4063-4BDF-BF21-B491BBDF9B80}@Path E:\game.inf Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{BEA40EB6-4063-4BDF-BF21-B491BBDF9B80}@DisplayName game.inf Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{BEA40EB6-4063-4BDF-BF21-B491BBDF9B80}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A2FDAAD-9A10-4A6A-BB82-A3F3A3B7F9B3}\RecentItems\{BEA40EB6-4063-4BDF-BF21-B491BBDF9B80}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{92A7582E-5889-4EDC-994A-5A78997A0180}@LastAccessedTime 0xC0 0xD8 0xBF 0xE9 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{92A7582E-5889-4EDC-994A-5A78997A0180}@LaunchCount 4 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Stronghold.exe_7c6d267edd25a7cfde4d143f58bcfde79260332_ac2528fb_23ff729e Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0xA6 0x14 0x33 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CloseDialog 0xA6 0x14 0x33 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers@D:\Gry\Stronghold HD\Stronghold.exe ~ DWM8And16BitMitigation RUNASADMIN WINXPSP3 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----