GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-27 10:21:07 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f Samsung_SSD_850_EVO_250GB rev.EMT02B6Q 232,89GB Running: nqszd60x.exe; Driver: C:\Users\Karol\AppData\Local\Temp\pgldrpow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000069b00 15 bytes {ADD AH, CL; JMP 0x5} .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff96000069b10 11 bytes [00, DE, FB, FF, 40, D6, BF, ...] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe[9060] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1 00007ffa89550cf1 11 bytes [B8, 30, 08, 0F, 73, 2B, 00, ...] .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffa89473ca0 7 bytes JMP 00007ffa4b4d2ba8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\KERNEL32.DLL!CreateProcessA 00007ffa89474ab0 7 bytes JMP 00007ffa4b4d2998 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\KERNEL32.DLL!CreateProcessW 00007ffa89477b30 7 bytes JMP 00007ffa4b4d28e8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\KERNEL32.DLL!CreateActCtxA 00007ffa895289b0 7 bytes JMP 00007ffa4b4d1868 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\KERNEL32.DLL!WinExec 00007ffa8954f840 5 bytes JMP 00007ffa4b4d2a48 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW 00007ffa886f2750 7 bytes JMP 00007ffa4b4d1b28 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameA 00007ffa886f2820 5 bytes JMP 00007ffa4b4d1a78 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\KERNELBASE.dll!GetCurrentDirectoryA 00007ffa88708f70 5 bytes JMP 00007ffa4b4d1bd8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\KERNELBASE.dll!GetCurrentDirectoryW 00007ffa88709840 6 bytes JMP 00007ffa4b4d1c88 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\KERNELBASE.dll!CreateActCtxW 00007ffa887183b0 6 bytes JMP 00007ffa4b4d1918 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 00007ffa88ad2eb0 7 bytes JMP 00007ffa4b4d2af8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffa88ada240 7 bytes JMP 00007ffa4b4d2c58 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\OLEAUT32.dll!SysFreeString 00007ffa8ade1120 9 bytes JMP 00007ffa4b0302f8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\OLEAUT32.dll!VariantClear 00007ffa8ade14c0 3 bytes JMP 00007ffa4b0303b8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\OLEAUT32.dll!VariantClear + 4 00007ffa8ade14c4 1 byte [C0] .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 00007ffa8ade1c70 3 bytes JMP 00007ffa4b030298 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen + 4 00007ffa8ade1c74 1 byte [C0] .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 00007ffa8ade52e0 10 bytes JMP 00007ffa4b030358 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\OLEAUT32.dll!GetActiveObject 00007ffa8adf2e20 5 bytes JMP 00007ffa4b4d2838 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\OLEAUT32.dll!RegisterActiveObject 00007ffa8ae4e110 5 bytes JMP 00007ffa4b4d26d8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\OLEAUT32.dll!RevokeActiveObject 00007ffa8ae4e170 5 bytes JMP 00007ffa4b4d2788 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\USER32.dll!BeginPaint 00007ffa8b031070 8 bytes JMP 00007ffa4b030178 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\USER32.dll!ValidateRect 00007ffa8b031360 8 bytes JMP 00007ffa4b0301d8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\system32\SHELL32.dll!SHParseDisplayName 00007ffa896862d0 5 bytes JMP 00007ffa4b030418 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoCreateInstance 00007ffa8b26a280 7 bytes JMP 00007ffa4b4d1f48 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoGetClassObject 00007ffa8b273e30 7 bytes JMP 00007ffa4b4d2158 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoCreateInstanceEx 00007ffa8b2740b0 7 bytes JMP 00007ffa4b4d1e98 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoUninitialize 00007ffa8b275ad0 7 bytes JMP 00007ffa4b4d1de8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoInitializeEx 00007ffa8b276090 5 bytes JMP 00007ffa4b4d1d38 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoResumeClassObjects 00007ffa8b2b24b0 3 bytes JMP 00007ffa4b4d22b8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoResumeClassObjects + 4 00007ffa8b2b24b4 3 bytes [C0, CC, CC] .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoRegisterClassObject 00007ffa8b2bb870 5 bytes JMP 00007ffa4b4d1ff8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoRevokeClassObject 00007ffa8b2c6830 5 bytes JMP 00007ffa4b4d20a8 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoSuspendClassObjects 00007ffa8b336a40 6 bytes JMP 00007ffa4b4d2368 .text C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE[4680] C:\Windows\SYSTEM32\combase.dll!CoGetInstanceFromFile 00007ffa8b39ac70 7 bytes JMP 00007ffa4b4d2208 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\KERNEL32.DLL!CreateProcessAsUserW 00007ffa89473ca0 7 bytes JMP 00007ffa4b4d2ba8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\KERNEL32.DLL!CreateProcessA 00007ffa89474ab0 7 bytes JMP 00007ffa4b4d2998 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\KERNEL32.DLL!CreateProcessW 00007ffa89477b30 7 bytes JMP 00007ffa4b4d28e8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\KERNEL32.DLL!CreateActCtxA 00007ffa895289b0 7 bytes JMP 00007ffa4b4d1868 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\KERNEL32.DLL!WinExec 00007ffa8954f840 5 bytes JMP 00007ffa4b4d2a48 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW 00007ffa886f2750 7 bytes JMP 00007ffa4b4d1b28 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameA 00007ffa886f2820 5 bytes JMP 00007ffa4b4d1a78 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\KERNELBASE.dll!GetCurrentDirectoryA 00007ffa88708f70 5 bytes JMP 00007ffa4b4d1bd8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\KERNELBASE.dll!GetCurrentDirectoryW 00007ffa88709840 6 bytes JMP 00007ffa4b4d1c88 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\KERNELBASE.dll!CreateActCtxW 00007ffa887183b0 6 bytes JMP 00007ffa4b4d1918 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserW 00007ffa88ad2eb0 7 bytes JMP 00007ffa4b4d2af8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 00007ffa88ada240 7 bytes JMP 00007ffa4b4d2c58 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\USER32.dll!BeginPaint 00007ffa8b031070 8 bytes JMP 00007ffa4b030178 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\USER32.dll!ValidateRect 00007ffa8b031360 8 bytes JMP 00007ffa4b0301d8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\SHELL32.dll!SHParseDisplayName 00007ffa896862d0 5 bytes JMP 00007ffa4b030418 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoCreateInstance 00007ffa8b26a280 7 bytes JMP 00007ffa4b4d1f48 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoGetClassObject 00007ffa8b273e30 7 bytes JMP 00007ffa4b4d2158 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoCreateInstanceEx 00007ffa8b2740b0 7 bytes JMP 00007ffa4b4d1e98 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoUninitialize 00007ffa8b275ad0 7 bytes JMP 00007ffa4b4d1de8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoInitializeEx 00007ffa8b276090 5 bytes JMP 00007ffa4b4d1d38 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoResumeClassObjects 00007ffa8b2b24b0 3 bytes JMP 00007ffa4b4d22b8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoResumeClassObjects + 4 00007ffa8b2b24b4 3 bytes [C0, CC, CC] .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoRegisterClassObject 00007ffa8b2bb870 5 bytes JMP 00007ffa4b4d1ff8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoRevokeClassObject 00007ffa8b2c6830 5 bytes JMP 00007ffa4b4d20a8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoSuspendClassObjects 00007ffa8b336a40 6 bytes JMP 00007ffa4b4d2368 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\SYSTEM32\combase.dll!CoGetInstanceFromFile 00007ffa8b39ac70 7 bytes JMP 00007ffa4b4d2208 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\OLEAUT32.dll!SysFreeString 00007ffa8ade1120 9 bytes JMP 00007ffa4b0302f8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\OLEAUT32.dll!VariantClear 00007ffa8ade14c0 3 bytes JMP 00007ffa4b0303b8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\OLEAUT32.dll!VariantClear + 4 00007ffa8ade14c4 1 byte [C0] .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 00007ffa8ade1c70 3 bytes JMP 00007ffa4b030298 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen + 4 00007ffa8ade1c74 1 byte [C0] .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 00007ffa8ade52e0 10 bytes JMP 00007ffa4b030358 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\OLEAUT32.dll!GetActiveObject 00007ffa8adf2e20 5 bytes JMP 00007ffa4b4d2838 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\OLEAUT32.dll!RegisterActiveObject 00007ffa8ae4e110 5 bytes JMP 00007ffa4b4d26d8 .text C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe[2396] C:\Windows\system32\OLEAUT32.dll!RevokeActiveObject 00007ffa8ae4e170 5 bytes JMP 00007ffa4b4d2788 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [508:4184] fffff960008372d0 ---- Processes - GMER 2.2 ---- Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4680] 00007ffa4ecc0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4680] 00007ffa4e1f0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso50win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4680] 00007ffa4e160000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4680] 00007ffa4d9a0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4680] 00007ffa4d220000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4680] 00007ffa4bb90000 Library C:\Program Files\Common Files\Microsoft Shared\OFFICE16\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4680] 00007ffa4ff10000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa4f3a0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa4ecc0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa4e1f0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso50win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa4e160000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa4d9a0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa4d220000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa4bb90000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa44ff0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa44e70000 Library C:\Program Files\Common Files\Microsoft Shared\OFFICE16\Csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa45c00000 Library C:\Program Files\Common Files\Microsoft Shared\OFFICE16\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa4ff10000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\ACECORE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa457d0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\1045\ACEWSTR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa45b20000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\ACEES.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa456f0000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\VBAJET32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa4ff00000 Library C:\Program Files\Common Files\Microsoft Shared\Office16\expsrv.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe [2396] 00007ffa45670000 ---- Services - GMER 2.2 ---- Service C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{076A6D04-837D-46B9-B72D-BFABB7CA4C54}\MpKslb43cbbd1.sys (*** hidden *** ) [SYSTEM] MpKslb43cbbd1 <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x26 0x11 0x96 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xF2 0xB6 0x6B 0x3C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 175 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO112D0_00_07DD_12^E2F36742808CB64A4F5CE59882491290@Timestamp 0xCD 0xA5 0x3B 0x41 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 704 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{23E28470-E358-4F3C-A993-32504F9428E9}\Connection@Name isatap.ds2.umed.pl Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files\Bitdefender\Bitdefender Device Management\installer\additional.dll??\??\C:\Program Files\Bitdefender\Bitdefender Device Management\installer\htmlayout.dll??\??\C:\Program Files\Bitdefender\Bitdefender Device Management\installer\installer.exe??\??\C:\Program Files\Bitdefender\Bitdefender Device Management\installer\lang\pl-PL.dll??\??\C:\Program Files\Bitdefender\Bitdefender Device Management\installer\lang??\??\C:\Program Files\Bitdefender\Bitdefender Device Management\installer\unrar64.dll??\??\C:\Program Files\Bitdefender\Bitdefender Device Management\installer??\??\C:\Program Files\Bitdefender\Bitdefender Device Management\??\??\C:\Program Files\Bitdefender\Bitdefender 2017\active virus control\Avc3_00129_002\avcuf32.dll??\??\C:\Program Files\Bitdefender\Bitdefender 2017\active virus control\Avc3_00129_002\avcuf64.dll??\??\C:\Program Files\Bitdefender\Bitdefender 2017\active virus control\Avc3_00129_002??\??\C:\Program Files\Bitdefender\Bitdefender 2017\active virus control??\??\C:\P Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900157 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 583092428 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 181 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 508005887 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 4511 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 28ecbeb6-a22b-404a-a460-d4d926e Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\acpiex\Parameters\Wdf@TimeOfLastSqmLog 0x80 0x94 0xB2 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\acpipagr\Parameters\Wdf@TimeOfLastSqmLog 0x51 0x44 0x31 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\ASP.NET_4.0.30319\Names@aA9NY3yzdXgFblGezTr8rDqjIpi1IPN3TxVV8UEjst3qYRZ3KRMzVQruzuy8O2yFEb5rXMwJONrvaCvlZzAhJgAX2xMlY09pZf98uxToh2tMRI73D0HMd0 3372 Reg HKLM\SYSTEM\CurrentControlSet\Services\ASP.NET_4.0.30319\Names@rYyFm0wGVJkBVZN3ImBpSBZ3aVVfoWiLfMybhD2jRLkOQ3cXomGG7C1qccrDdY1lGeHSGhUnPCi3bPjb6nKDpawxnPSXb5EpXRC8YBR2OovUoTg4v7KPLS 2524 Reg HKLM\SYSTEM\CurrentControlSet\Services\ASP.NET_4.0.30319\Names@a2XxEbFm2ItnYBowLO4n4yGIYnDCLYWxTNhF8YxIzkPfpR7Jc0WipsHX8bLoxh1krUHlQo820cGxfsiz3nYPXShEWQn9sISNcdXNe2AAGetzCTIXkL0cn1 7740 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6057181a85e1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\605718daa1eb Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastSqmLog 0x4D 0xE3 0x0F 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{17cc9474-e993-4051-be8c-4395f5698a51}@LastProbeTime 1498512450 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastSqmLog 0x31 0xF6 0x22 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\hidi2c\Parameters\Wdf@TimeOfLastSqmLog 0x5C 0xCF 0xE0 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iaLPSS_I2C\Parameters\Wdf@TimeOfLastSqmLog 0x51 0x44 0x31 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastSqmLog 0x51 0x44 0x31 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{23E28470-E358-4F3C-A993-32504F9428E9}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{23E28470-E358-4F3C-A993-32504F9428E9}@DefunctTimestamp 0x52 0xF8 0x51 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iwdbus\Parameters\Wdf@TimeOfLastSqmLog 0x6F 0x0C 0x36 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MEIx64\Parameters\Wdf@TimeOfLastSqmLog 0xCD 0x70 0x19 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastSqmLog 0xDA 0x86 0x0F 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MpKslb43cbbd1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MpKslb43cbbd1@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MpKslb43cbbd1@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MpKslb43cbbd1@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MpKslb43cbbd1@ImagePath \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{076A6D04-837D-46B9-B72D-BFABB7CA4C54}\MpKslb43cbbd1.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MpKslb43cbbd1@DeviceName MpKslb43cbbd1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MpKslb43cbbd1@AllowedProcessName \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\MpKslb43cbbd1 Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastSqmLog 0x7E 0xCE 0xCC 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MTConfig\Parameters\Wdf@TimeOfLastSqmLog 0x0E 0x3A 0x34 0x5E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastSqmLog 0xB1 0xA6 0x33 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PEAUTH\Parameters\Wdf@TimeOfLastSqmLog 0xFE 0x09 0x34 0x62 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 60257 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 29505 Reg HKLM\SYSTEM\CurrentControlSet\Services\SpbCx\Parameters\Wdf@TimeOfLastSqmLog 0x9B 0x83 0xCF 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 178 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynRMIHID\Parameters\Wdf@TimeOfLastSqmLog 0x9C 0x4D 0x34 0x5E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C37EC6F-D0C2-4BFF-88EF-FB293C0CD8FB}@LeaseObtainedTime 1498544209 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C37EC6F-D0C2-4BFF-88EF-FB293C0CD8FB}@T1 1498558609 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C37EC6F-D0C2-4BFF-88EF-FB293C0CD8FB}@T2 1498569409 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C37EC6F-D0C2-4BFF-88EF-FB293C0CD8FB}@LeaseTerminatesTime 1498573009 Reg HKLM\SYSTEM\CurrentControlSet\Services\UCX01000\Parameters\Wdf@TimeOfLastSqmLog 0x1B 0xD3 0xBE 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastSqmLog 0x4D 0xE3 0x0F 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastSqmLog 0xF1 0xEA 0xF1 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastSqmLog 0xEA 0xCF 0x1B 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastSqmLog 0x3A 0xBA 0xD8 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastSqmLog 0x61 0xE8 0xD4 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters\Wdf@TimeOfLastSqmLog 0x0B 0x68 0x2A 0x68 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3785D0AD-BFFF-47F6-BF5B-A587C162FED9}\iexplore@Count 3442 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 34273 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xED 0x37 0xE9 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xED 0x37 0xE9 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xED 0x37 0xE9 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 48808 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xED 0x37 0xE9 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63634141013470%3bID%3d6090EDF127925BE8!9141%3bLR%3d63634142499210%3bEP%3d16%3bSI%3d0%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0xCB 0xB1 0x5C 0xF8 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x4D 0xB2 0x03 0xD5 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 15 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_vsserv.exe_6cf83a319d7d47c2697f84ab825322295e9961ce_3a3ace12_04b049b0 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0x10 0x03 0x04 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----