GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-15 22:40:33 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 LITEONIT_LCS-128M6S rev.DC77101 119,24GB Running: dvuodepe.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pwddifow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001e9b00 15 bytes [80, 23, EF, 01, 00, 0D, 6A, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff960001e9b10 11 bytes [00, E1, FB, FF, C0, 1A, E6, ...] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE[8316] C:\Windows\system32\KERNEL32.DLL!SetUnhandledExceptionFilter + 1 00007ffe3b5147d1 11 bytes {MOV RAX, 0x7ffe150f52bc; JMP RAX} ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [672:10952] fffff960009432d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 329002023 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\acb57dd16f39 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 184 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0xAC 0xE1 0x47 0x39 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0x1D 0x6C 0x45 0xC5 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified 0x80 0x9D 0x04 0xCE ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenSSL\Official OpenSSL Documentation.lnk?C:\Program Files (x86)\Internet Explorer\iexplore.exe?http://www.openssl.org/docs/? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@1 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenSSL\Official OpenSSL Website.lnk?C:\Program Files (x86)\Internet Explorer\iexplore.exe?http://www.openssl.org/? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@3 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenSSL\Win32 OpenSSL Website.lnk?C:\Program Files (x86)\Internet Explorer\iexplore.exe?http://www.slproweb.com/products/Win32OpenSSL.html? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@4 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenSSL\Official OpenSSL Documentation.lnk?C:\Program Files (x86)\Internet Explorer\iexplore.exe?http://www.openssl.org/docs/? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@5 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenSSL\Official OpenSSL Website.lnk?C:\Program Files (x86)\Internet Explorer\iexplore.exe?http://www.openssl.org/? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@6 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenSSL\Uninstall OpenSSL.lnk?C:\OpenSSL\unins000.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@7 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenSSL\Win32 OpenSSL Website.lnk?C:\Program Files (x86)\Internet Explorer\iexplore.exe?http://www.slproweb.com/products/Win32OpenSSL.html? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@8 C:\Users\Mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Commander\Total Commander.lnk?C:\totalcmd\TOTALCMD.EXE?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@10 C:\Users\Mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk?C:\Users\Mateusz\AppData\Roaming\Spotify\Spotify.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@11 C:\Users\Mateusz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Blackmagic Design\Disk Speed Test\Blackmagic Disk Speed Test.lnk?C:\Program Files (x86)\Blackmagic Design\Disk Speed Test\DiskSpeedTest.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@12 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk?C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe?? Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows@Device HP LaserJet Pro MFP M125-M126 PCLmS,winspool,Ne02: Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows@UserSelectedDefault 0 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----