GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-25 17:03:52 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000032 rev. 0,00MB Running: p96dx33z.exe; Driver: C:\Users\Dominik\AppData\Local\Temp\kweoraob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [6124:2792] fffff960009a42d0 Thread C:\WINDOWS\Explorer.EXE [3540:3936] 00007ffa34f9e630 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD038E0_00_07DC_C6^8D9240A4830E4E7FD06CD50054428969@Timestamp 0x3E 0xC6 0x31 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -785502766 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 4040 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 12877 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 279 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 999 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 4332 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeLibraryInitTime 175 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeInitTime 338 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 452 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 4846 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 344 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 145 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 5331 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 5344 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 11902 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 5340 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 12540 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 4973 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 1919 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 37337 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 6269 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeInitTime 1599 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeSharedBufferTime 8 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 596 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 60 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 371618 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x10 0xD5 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 20242 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x13 0x22 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 100 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 76 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 3709 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 534 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0xFA 0xFE 0xEB 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events CreateSession Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\20689d4b31c2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{875C8ACC-0851-4FB1-84A1-6B5ACABD6926}@DefunctTimestamp 0xC1 0x1C 0xF5 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?mar ?25 ?16, 11:01:00??????,???????,???????????????,???? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5757 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1958 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpNameServer 10.0.0.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@DhcpIPAddress 10.0.0.33 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@DhcpServer 10.0.0.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@Lease 259200 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@LeaseObtainedTime 1458914675 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@T1 1459044275 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@T2 1459141475 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@LeaseTerminatesTime 1459173875 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@DhcpNetworkHint D496B627F64596B6 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@DhcpNameServer 10.0.0.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@DhcpDefaultGateway 10.0.0.1? Reg HKLM\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters\Interfaces\{696222A2-0FA8-4829-9809-2271A2891832}@DhcpV6NetworkHint D496B627F64596B6 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.2 ----