GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-06 20:26:16 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 HGST_HTS541010A9E680 rev.JA0OA710 931,51GB Running: 4q3g31k6.exe; Driver: C:\Users\dawid\AppData\Local\Temp\pgldapod.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000092b00 15 bytes [80, 23, EF, 01, 00, 0D, 6A, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff96000092b10 11 bytes [00, E1, FB, FF, C0, 1A, E6, ...] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [712:744] fffff9600085c2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x11 0x79 0x0B 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x2B 0x88 0x94 0x14 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x06 0x3E 0x10 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x15 0xC1 0xE0 0x61 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-GB 73 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SDC49510_00_07DD_03^E35D82D678BFA48C75E6F4AEA4FD469D@Timestamp 0xD3 0xE0 0xFC 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 800 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager\Defrag@LastRun 06:18:2016 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager\Defrag@TotalBytesSaved 0x00 0xC0 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -173214913 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 3581 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 479881878 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 479880822 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 479880822 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 479881492 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 513 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x3F 0x54 0x5A 0x48 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 10473e6b-9f3a-4007-8cd1-1bd1256 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{89deaedd-6d6f-4cc5-8f59-bedba247b26f} Reg HKLM\SYSTEM\CurrentControlSet\Services\AmdPPM\Parameters\Wdf@TimeOfLastSqmLog 0xB8 0x2A 0x3D 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BthLEEnum\Parameters\Wdf@TimeOfLastSqmLog 0x8F 0x19 0x8A 0xD2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c48e8f186a58 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c48e8f186a58@3c970e9d14cc 0xD7 0xCF 0xAC 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastSqmLog 0x5C 0x54 0x0E 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastSqmLog 0x04 0xBD 0xDF 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{fd52c449-0862-4f10-a3c3-b8850aed4bad}@LastProbeTime 1467824198 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastSqmLog 0x2D 0xF0 0x41 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\mfencbdc@DefaultTTL 31327648 Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastSqmLog 0x33 0x9F 0x52 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PEAUTH\Parameters\Wdf@TimeOfLastSqmLog 0xEA 0xBA 0x72 0xDC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\RtkBtFilter\Parameters\Wdf@TimeOfLastSqmLog 0x9E 0xC8 0xFA 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 30235 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 9319 Reg HKLM\SYSTEM\CurrentControlSet\Services\SmbDrv\Parameters\Wdf@TimeOfLastSqmLog 0x00 0x03 0x36 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 79 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 2126 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters\Wdf@TimeOfLastSqmLog 0x67 0x2F 0x28 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A3F66009-3120-4E07-B11B-4D0CED1329F1}@LeaseObtainedTime 1467823159 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A3F66009-3120-4E07-B11B-4D0CED1329F1}@T1 1467866359 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A3F66009-3120-4E07-B11B-4D0CED1329F1}@T2 1467898759 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A3F66009-3120-4E07-B11B-4D0CED1329F1}@LeaseTerminatesTime 1467909559 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A3F66009-3120-4E07-B11B-4D0CED1329F1}@DhcpConnForceBroadcastFlag 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastSqmLog 0x04 0xBD 0xDF 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastSqmLog 0x54 0xF6 0xAB 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastSqmLog 0xEA 0xEE 0x0B 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastSqmLog 0xF6 0xCD 0xC5 0xCF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 54572 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsBandwidthBucketDrainTime 0xBE 0x2F 0x02 0xF5 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 566 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xDF 0x95 0x1C 0x88 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xDF 0x95 0x1C 0x88 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xDF 0x95 0x1C 0x88 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 514 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xDF 0x95 0x1C 0x88 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xA5 0xB9 0x13 0xFE ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 375 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\remotesyncdummyid@PendingOperations 8192 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_AD2F1837.HPConne_835dd2693b5ae30dbf8fb649d8f85565a6166b_67473d38_cab_65c0d271 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----