GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-25 21:42:20 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003b GOODRAM_CX100 rev.SAFM11.0 111,79GB Running: rmq2tm48.exe; Driver: C:\Users\POSITI~1\AppData\Local\Temp\kwwcapog.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [648:8640] ffff9b6304d36c20 Thread C:\WINDOWS\system32\svchost.exe [828:952] 00007ff8886df950 Thread C:\WINDOWS\system32\svchost.exe [828:956] 00007ff8886ded20 Thread C:\WINDOWS\system32\svchost.exe [828:352] 00007ff8884c8ae0 Thread C:\WINDOWS\system32\svchost.exe [416:4256] 00007ff88071dbe0 Thread C:\WINDOWS\system32\svchost.exe [416:6588] 00007ff88071dbe0 Thread C:\WINDOWS\system32\svchost.exe [416:4780] 00007ff88071dbe0 Thread C:\WINDOWS\system32\dwm.exe [560:1508] 00007ff885e2ea60 Thread C:\WINDOWS\system32\svchost.exe [916:9280] 00007ff85ac3b030 Thread C:\WINDOWS\system32\svchost.exe [916:7184] 00007ff874c22a20 Thread C:\WINDOWS\system32\svchost.exe [916:1524] 00007ff874c22610 Thread C:\WINDOWS\system32\svchost.exe [1044:2252] 00007ff87e5e39b0 Thread C:\WINDOWS\system32\svchost.exe [1044:2616] 00007ff87dbc42d0 Thread C:\WINDOWS\system32\svchost.exe [1044:2832] 00007ff87bf01a50 Thread C:\WINDOWS\system32\svchost.exe [1044:1476] 00007ff87dbc42d0 Thread C:\WINDOWS\system32\svchost.exe [1044:7940] 00007ff8817030f0 Thread C:\WINDOWS\system32\svchost.exe [1044:11312] 00007ff83a60fe40 Thread C:\WINDOWS\system32\svchost.exe [1044:4824] 00007ff83a60fe40 Thread C:\WINDOWS\system32\svchost.exe [1044:11564] 00007ff83a60fe40 Thread C:\WINDOWS\system32\svchost.exe [1044:4324] 00007ff83a615ed0 Thread C:\WINDOWS\system32\svchost.exe [1044:11992] 00007ff83a60fe40 Thread C:\WINDOWS\system32\svchost.exe [1044:11988] 00007ff83a615ed0 Thread C:\WINDOWS\system32\svchost.exe [1044:5044] 00007ff8842b2cf0 Thread C:\WINDOWS\system32\svchost.exe [1044:6288] 00007ff8658a1b50 Thread C:\WINDOWS\system32\svchost.exe [1044:3208] 00007ff88071dbe0 Thread C:\WINDOWS\system32\svchost.exe [1044:13160] 00007ff88071dbe0 Thread C:\WINDOWS\system32\svchost.exe [1044:12508] 00007ff88071dbe0 Thread C:\WINDOWS\system32\svchost.exe [1044:12588] 00007ff863886160 Thread C:\WINDOWS\system32\svchost.exe [1044:10696] 00007ff863886160 Thread C:\Windows\System32\WUDFHost.exe [1128:1496] 00007ff884c26f30 Thread C:\WINDOWS\system32\svchost.exe [1280:1412] 00007ff889036750 Thread C:\WINDOWS\system32\svchost.exe [1280:2108] 00007ff889036750 Thread C:\WINDOWS\system32\svchost.exe [1280:2348] 00007ff889036750 Thread C:\WINDOWS\system32\svchost.exe [1280:2700] 00007ff87d6daf40 Thread C:\WINDOWS\system32\svchost.exe [1280:2756] 00007ff87d6dca00 Thread C:\WINDOWS\system32\svchost.exe [1280:2824] 00007ff87e04c5a0 Thread C:\WINDOWS\system32\svchost.exe [1280:2272] 00007ff87e04eab0 Thread C:\WINDOWS\system32\svchost.exe [1280:3120] 00007ff87e04d2d0 Thread C:\WINDOWS\system32\svchost.exe [1280:3124] 00007ff87e04e100 Thread C:\WINDOWS\system32\svchost.exe [1280:3384] 00007ff876051240 Thread C:\WINDOWS\system32\svchost.exe [1280:3388] 00007ff874d9a3b0 Thread C:\WINDOWS\system32\svchost.exe [1280:3396] 00007ff8760225e0 Thread C:\WINDOWS\system32\svchost.exe [1280:4816] 00007ff878783bc0 Thread C:\WINDOWS\system32\svchost.exe [1280:1160] 00007ff878782080 Thread C:\WINDOWS\system32\svchost.exe [1744:1820] 00007ff881682a30 Thread C:\WINDOWS\system32\svchost.exe [1744:3424] 00007ff87682b180 Thread C:\WINDOWS\system32\svchost.exe [1744:3428] 00007ff87682f5f0 Thread C:\WINDOWS\system32\svchost.exe [1744:9732] 00007ff879995bc0 Thread C:\WINDOWS\system32\svchost.exe [1744:7376] 00007ff8799a7d70 Thread C:\WINDOWS\system32\svchost.exe [1744:10736] 00007ff8817030f0 Thread C:\WINDOWS\system32\svchost.exe [1964:3144] 00007ff87dcf5be0 Thread C:\WINDOWS\system32\svchost.exe [1964:3160] 00007ff87dcf9b30 Thread C:\WINDOWS\system32\svchost.exe [1856:2340] 00007ff87dfa44b0 Thread C:\WINDOWS\system32\svchost.exe [1856:2840] 00007ff889036750 Thread C:\WINDOWS\System32\spoolsv.exe [2140:8108] 00007ff879995bc0 Thread C:\WINDOWS\System32\spoolsv.exe [2140:8112] 00007ff87d342740 Thread C:\WINDOWS\System32\spoolsv.exe [2140:8120] 00007ff87d342740 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2416:3352] 00007ff87767502c Thread C:\Program Files\Windows Defender\MsMpEng.exe [2632:9472] 00007ff84ff09370 Thread C:\Program Files\Windows Defender\MsMpEng.exe [2632:11052] 00007ff84ff09370 Thread C:\WINDOWS\system32\svchost.exe [2660:752] 00007ff879995bc0 Thread C:\WINDOWS\system32\svchost.exe [2660:10516] 00007ff87d342740 Thread C:\WINDOWS\system32\sihost.exe [1436:6424] 0000019e2492b9b0 Thread C:\WINDOWS\system32\sihost.exe [1436:6432] 0000019e2492b9b0 Thread C:\WINDOWS\system32\sihost.exe [1436:6456] 0000019e2492b9b0 Thread C:\WINDOWS\system32\sihost.exe [1436:6460] 0000019e2492b9b0 Thread C:\WINDOWS\system32\sihost.exe [1436:6464] 0000019e2492b9b0 Thread C:\WINDOWS\system32\sihost.exe [1436:6548] 0000019e2492b9b0 Thread C:\WINDOWS\system32\svchost.exe [4100:6436] 000001df2a0cb9b0 Thread C:\WINDOWS\system32\svchost.exe [4100:6448] 000001df2a0cb9b0 Thread C:\WINDOWS\system32\svchost.exe [4100:6484] 000001df2a0cb9b0 Thread C:\WINDOWS\system32\svchost.exe [4100:6488] 000001df2a0cb9b0 Thread C:\WINDOWS\system32\svchost.exe [4100:6492] 000001df2a0cb9b0 Thread C:\WINDOWS\system32\svchost.exe [4100:6520] 000001df2a0cb9b0 Thread C:\WINDOWS\system32\svchost.exe [4100:6544] 000001df2a0cb9b0 Thread C:\WINDOWS\system32\svchost.exe [4100:6568] 000001df2a0cb9b0 Thread C:\WINDOWS\system32\svchost.exe [4100:7624] 00007ff88071dbe0 Thread C:\WINDOWS\system32\svchost.exe [4100:4048] 00007ff88071dbe0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:4316] 00007ff8755b1ba0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:4376] 00007ff875821160 Thread C:\WINDOWS\system32\taskhostw.exe [4224:4380] 00007ff875821a20 Thread C:\WINDOWS\system32\taskhostw.exe [4224:4388] 00007ff88bb48490 Thread C:\WINDOWS\system32\taskhostw.exe [4224:4428] 00007ff87275a3b0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:4432] 00007ff871dc7930 Thread C:\WINDOWS\system32\taskhostw.exe [4224:4436] 00007ff871dc7930 Thread C:\WINDOWS\system32\taskhostw.exe [4224:4440] 00007ff871dc7930 Thread C:\WINDOWS\system32\taskhostw.exe [4224:4504] 00007ff8881130f0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:5624] 00007ff88071dbe0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:5632] 00007ff88071dbe0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:6444] 0000022ac668b9b0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:6452] 0000022ac668b9b0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:6496] 0000022ac668b9b0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:6500] 0000022ac668b9b0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:6504] 0000022ac668b9b0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:6592] 0000022ac668b9b0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:2160] 0000022ac668b9b0 Thread C:\WINDOWS\system32\taskhostw.exe [4224:6996] 0000022ac668b9b0 Thread C:\WINDOWS\Explorer.EXE [4736:7024] 0000000004bbb9b0 Thread C:\WINDOWS\Explorer.EXE [4736:7028] 0000000004bbb9b0 Thread C:\WINDOWS\Explorer.EXE [4736:7056] 0000000004bbb9b0 Thread C:\WINDOWS\Explorer.EXE [4736:7060] 0000000004bbb9b0 Thread C:\WINDOWS\Explorer.EXE [4736:7064] 0000000004bbb9b0 Thread C:\WINDOWS\Explorer.EXE [4736:7104] 0000000004bbb9b0 Thread C:\WINDOWS\Explorer.EXE [4736:6852] 0000000005a14dfe Thread C:\WINDOWS\Explorer.EXE [4736:6824] 0000000005a14dfe Thread C:\WINDOWS\Explorer.EXE [4736:6816] 0000000005a14dfe Thread C:\WINDOWS\Explorer.EXE [4736:6840] 0000000005a14dfe Thread C:\WINDOWS\Explorer.EXE [4736:9608] 0000000004bbb9b0 Thread C:\WINDOWS\Explorer.EXE [4736:9316] 0000000004bbb9b0 Thread C:\Windows\System32\SystemSettingsBroker.exe [4204:6604] 00000206b670b9b0 Thread C:\Windows\System32\SystemSettingsBroker.exe [4204:6672] 00000206b670b9b0 Thread C:\Windows\System32\SystemSettingsBroker.exe [4204:6720] 00000206b670b9b0 Thread C:\Windows\System32\SystemSettingsBroker.exe [4204:6716] 00000206b670b9b0 Thread C:\Windows\System32\SystemSettingsBroker.exe [4204:6728] 00000206b670b9b0 Thread C:\Windows\System32\SystemSettingsBroker.exe [4204:1916] 00000206b670b9b0 Thread C:\Windows\System32\SystemSettingsBroker.exe [4204:9984] 00000206b670b9b0 Thread C:\Windows\System32\SystemSettingsBroker.exe [4204:9964] 00000206b670b9b0 Thread C:\WINDOWS\system32\rundll32.exe [6328:6364] 000000000064b9b0 Thread C:\WINDOWS\system32\rundll32.exe [6328:6388] 000000000064b9b0 Thread C:\WINDOWS\system32\rundll32.exe [6328:6392] 000000000064b9b0 Thread C:\WINDOWS\system32\rundll32.exe [6328:6396] 000000000064b9b0 Thread C:\WINDOWS\system32\rundll32.exe [6328:6480] 000000000064b9b0 Thread C:\WINDOWS\system32\rundll32.exe [6328:6512] 000002399c80129d Thread C:\WINDOWS\system32\rundll32.exe [6328:6528] 000000000064b9b0 Thread C:\WINDOWS\system32\rundll32.exe [6328:6536] 000002399c80129d Thread C:\WINDOWS\system32\rundll32.exe [6328:6540] 000002399c80129d Thread C:\WINDOWS\system32\rundll32.exe [6328:6560] 000002399c80129d Thread C:\WINDOWS\system32\rundll32.exe [6328:4548] 000000000064b9b0 Thread C:\WINDOWS\system32\rundll32.exe [6328:3572] 000002399ca24dfe Thread C:\WINDOWS\system32\rundll32.exe [6328:3576] 000002399ca24dfe Thread C:\Program Files\Windows Defender\msascuil.exe [6980:7632] 000001e236aab9b0 Thread C:\Program Files\Windows Defender\msascuil.exe [6980:7636] 000001e236aab9b0 Thread C:\Program Files\Windows Defender\msascuil.exe [6980:7664] 000001e236aab9b0 Thread C:\Program Files\Windows Defender\msascuil.exe [6980:7668] 000001e236aab9b0 Thread C:\Program Files\Windows Defender\msascuil.exe [6980:7672] 000001e236aab9b0 Thread C:\Program Files\Windows Defender\msascuil.exe [6980:7692] 000001e236aab9b0 Thread C:\WINDOWS\system32\SettingSyncHost.exe [7136:7640] 0000028c3f83b9b0 Thread C:\WINDOWS\system32\SettingSyncHost.exe [7136:7644] 0000028c3f83b9b0 Thread C:\WINDOWS\system32\SettingSyncHost.exe [7136:7676] 0000028c3f83b9b0 Thread C:\WINDOWS\system32\SettingSyncHost.exe [7136:7684] 0000028c3f83b9b0 Thread C:\WINDOWS\system32\SettingSyncHost.exe [7136:7688] 0000028c3f83b9b0 Thread C:\WINDOWS\system32\SettingSyncHost.exe [7136:7696] 0000028c3f83b9b0 Thread C:\WINDOWS\system32\SettingSyncHost.exe [7136:8200] 0000028c3f83b9b0 Thread C:\WINDOWS\system32\SettingSyncHost.exe [7136:9232] 0000028c3f83b9b0 Thread C:\WINDOWS\system32\SettingSyncHost.exe [7136:8980] 0000028c3f83b9b0 Thread C:\WINDOWS\system32\ApplicationFrameHost.exe [7144:736] 0000016a9868b9b0 Thread C:\WINDOWS\system32\ApplicationFrameHost.exe [7144:4412] 0000016a9868b9b0 Thread C:\WINDOWS\system32\ApplicationFrameHost.exe [7144:1052] 0000016a9868b9b0 Thread C:\WINDOWS\system32\ApplicationFrameHost.exe [7144:4912] 0000016a9868b9b0 Thread C:\WINDOWS\system32\ApplicationFrameHost.exe [7144:1652] 0000016a9868b9b0 Thread C:\WINDOWS\system32\ApplicationFrameHost.exe [7144:5936] 0000016a9868b9b0 Thread C:\Windows\System32\LockAppHost.exe [8536:7992] 0000029a5eb6b9b0 Thread C:\Windows\System32\LockAppHost.exe [8536:10064] 0000029a5eb6b9b0 Thread C:\Windows\System32\LockAppHost.exe [8536:9364] 0000029a5eb6b9b0 Thread C:\Windows\System32\LockAppHost.exe [8536:9300] 0000029a5eb6b9b0 Thread C:\Windows\System32\LockAppHost.exe [8536:5928] 0000029a5eb6b9b0 Thread C:\Windows\System32\LockAppHost.exe [8536:6076] 0000029a5eb6b9b0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 480734207 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6057180b5ec2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6057180b5ec2@0009d050025a 0x86 0x27 0xB5 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x16 0xF0 0xCA 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x16 0x58 0x8F 0xEC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x16 0x88 0x06 0x29 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:07270E01-0078-1000-9BC9-244B03B5C311\Interfaces\{d0875fb4-2196-4c7a-a63d-e416addd60a1}\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x04 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:07270E01-0078-1000-9BC9-244B03B5C311\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x04 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----