GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-22 14:37:10 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEKT-60V5T1 rev.12.01A12 298,09GB Running: fto0u1l3.exe; Driver: C:\Users\RAFA~1\AppData\Local\Temp\kgpdrkog.sys ---- Kernel code sections - GMER 2.2 ---- .text ntoskrnl.exe!ExfUnblockPushLock + 1547 81B3988D 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 622 81B3E032 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB2600300, 0x3AF78, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB30A0300, 0x1BCE, 0xE8000020] ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x3A 0xDC 0x27 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x8B 0xCF 0xF6 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x88 0x3E 0x2A 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x35 0x32 0xF9 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 57 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD02AD0_00_07DA_BF^4137DAFE6E11B92C702E7BA8027B99BF@Timestamp 0xEB 0x0B 0x1B 0x16 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 632 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da@DCSettingIndex 1200 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da@ACSettingIndex 1800 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e@DCSettingIndex 1200 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e@ACSettingIndex 600 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\aded5e82-b909-4619-9949-f5d71dac0bcb@ACSettingIndex 100 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1887347425 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 55eeef08-5236-49db-9b2b-901b1a3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{2d1ab0e5-8c8a-4880-991a-52a5e686b1a9} Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS_s Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2652b\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2652b\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2652b\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2652b\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2652b\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2652b\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2652b\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2652b\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2652b\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_2652b\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_2652b\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_2652b\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_2652b\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?pt.?, ?lip ?22 ?16, 01:07:47 PM???????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 56 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 784 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_2652b\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_2652b\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_2652b\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_2652b\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SOFTWARE\Microsoft\Windows\Configuration\CfgClient\ControlSet@LastPullTime 0x8A 0x27 0x0D 0x31 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI@IdleTime 41875 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdHigh 30532501 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdLow 1479635599 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LaunchCount 0x39 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LastHeartBeatTime 0x6B 0x1F 0x5F 0x1B ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests@LastNormalDownloadAttempt 0xFC 0xC7 0xE1 0xAC ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo 383683786 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30532617 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo 383683786 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30532617 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-795517579-3768718150-1692981735-1001\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo 822320803 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-795517579-3768718150-1692981735-1001\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30532617 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-795517579-3768718150-1692981735-1001\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo 822633170 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-795517579-3768718150-1692981735-1001\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30532617 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager@ServerChangeNumber 57 Reg HKLM\SOFTWARE\Microsoft\Windows\DWM@DwmInitSessionActivityId_00000001 00A25BDD-E409-0000-075C-A20009E4D101 Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Kernel_50_c8b8acf0822c2dd4fe19e08c15a0bff1f97160e0_00000000_02710f0e Reg HKLM\SOFTWARE\Microsoft\Windows Defender\Scan@SFCState 7 Reg HKLM\SOFTWARE\Microsoft\Windows Defender\Scan@CacheFile C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\MpScanCache-0.bin Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@CACDADA5 57 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-795517579-3768718150-1692981735-1001@RefCount 3 Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 7 Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlModified 1 Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlKBytes 0 Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlRetries 0 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewCrawlNumber 8 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewClientID 2283 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LazyCheckPointUpdateInterval 604800 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0@LastCrawlType 5 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\1@LastCrawlType 1 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{000C11BE-0000-0000-0000-90992C000000} 1195283272 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Volumes\{000C11BE-0000-0000-0000-90992C000000}@VolumeJournal 131091837829195078 ---- EOF - GMER 2.2 ----