GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-14 15:47:34 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000039 HGST_HTS541010A9E680 rev.JA0OA710 931,51GB Running: n6kbzxkt.exe; Driver: C:\Users\PAWE~1\AppData\Local\Temp\uglyypog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE[11140] C:\Program Files (x86)\Microsoft Office\root\Office16\chart.dll!?HrCloseDataGridForHostDoc@@YGJPBX@Z + 44 000000005f774e20 4 bytes [E5, 2D, 0E, 45] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [800:5216] fffff961f4d54060 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [11140] 0000000068cb0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [11140] 0000000068930000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [11140] 000000005ec20000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [11140] 000000005e080000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [11140] 000000005d2f0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\riched20.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [11140] 000000005ea70000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [11140] 0000000059af0000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -2132013520 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c48e8f16e788 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c48e8f16e788@083d88e85d2e 0xED 0x55 0x5B 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x1F 0x5A 0xE1 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x1F 0xC2 0xA5 0x8C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x1F 0xF2 0x1C 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x2D 0x91 0x4D 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\3@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----