GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-05 21:54:08 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b HGST_HTS545050A7E680 rev.GG2OAE30 465,76GB Running: em1smbde.exe; Driver: C:\Users\Veronica\AppData\Local\Temp\axldypod.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [5032] entry point in ".rdata" section 0000000071efc940 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5032] entry point in ".rdata" section 0000000073138fc0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5032] entry point in ".rdata" section 000000006ebca020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5032] entry point in ".rdata" section 000000006dcf3150 ? C:\WINDOWS\system32\apphelp.dll [1240] entry point in ".rdata" section 000000006e19f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [716:4252] ffff8d43dd366c20 Thread C:\WINDOWS\system32\svchost.exe [1832:1516] 00007ff943995be0 Thread C:\WINDOWS\system32\svchost.exe [1832:1776] 00007ff943999b30 Thread C:\WINDOWS\System32\spoolsv.exe [604:3508] 00007ff943205bc0 Thread C:\WINDOWS\System32\spoolsv.exe [604:3216] 00007ff9431e2740 Thread C:\WINDOWS\System32\spoolsv.exe [604:3528] 00007ff93c421180 Thread C:\WINDOWS\System32\spoolsv.exe [604:3492] 00007ff93c468e40 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4696:4548] 00007ff939fa7944 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4696:896] 00007ff939e6beb4 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4696:5188] 00007ff939e6beb4 Thread C:\WINDOWS\Explorer.EXE [4772:5792] 00007ff92b2f20e0 Thread C:\WINDOWS\Explorer.EXE [4772:5700] 00007ff92b2620e0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMO15AB0_1F_07DA_BF^017C498103FABAD2BA86EB7087172B29@Timestamp 0x7F 0xEF 0xB5 0x8E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -923964344 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 2096 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 7371728 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 7367758 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 7368738 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 7369925 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 7087 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 1985 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberSharedBufferTime 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 19641 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 508518 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0xE1 0xB0 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 23010 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x86 0x22 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumTime 133 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumIoTime 28 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 257 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0xDF 0x53 0x9E 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\3c77e6dacb3a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\3c77e6dacb3a@7c0bc626b108 0x0C 0x50 0x94 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{A199FA56-70AE-4299-8879-B4EAA7C7BFDD}@DefunctTimestamp 0x4B 0xB5 0x0C 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5122 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 956 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 342 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{624dca5e-6083-4b5c-bc6b-a8c084f74113}@LeaseObtainedTime 1494005121 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{624dca5e-6083-4b5c-bc6b-a8c084f74113}@T1 1494048321 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{624dca5e-6083-4b5c-bc6b-a8c084f74113}@T2 1494080721 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{624dca5e-6083-4b5c-bc6b-a8c084f74113}@LeaseTerminatesTime 1494091521 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x08 0x95 0x11 0x33 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x08 0xFD 0xD5 0x94 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x08 0x2D 0x4D 0xD1 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----