GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-25 15:00:58 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001e WDC_WD10JPCX-24UE4T0 rev.01.01A01 931,51GB Running: gmer.exe; Driver: C:\Users\Michal\AppData\Local\Temp\pgldrpoc.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [632:6424] fffff960f6d14030 Thread C:\WINDOWS\system32\svchost.exe [868:996] 00007ffeea45a8a0 Thread C:\WINDOWS\system32\svchost.exe [868:1000] 00007ffeea459c70 Thread C:\WINDOWS\system32\svchost.exe [868:348] 00007ffeea098d90 Thread C:\WINDOWS\system32\svchost.exe [424:1568] 00007ffee66ed4c0 Thread C:\WINDOWS\system32\svchost.exe [424:1776] 00007ffedfe34530 Thread C:\WINDOWS\system32\svchost.exe [424:2168] 00007ffedfac9670 Thread C:\WINDOWS\system32\svchost.exe [424:2896] 00007ffeeaab6b60 Thread C:\WINDOWS\system32\svchost.exe [424:3036] 00007ffedfac5a40 Thread C:\WINDOWS\system32\svchost.exe [424:764] 00007ffedfabe0e0 Thread C:\WINDOWS\system32\svchost.exe [424:4216] 00007ffedd82c040 Thread C:\WINDOWS\system32\svchost.exe [424:8436] 00007ffedd82c040 Thread C:\WINDOWS\system32\svchost.exe [424:3292] 00007ffedd82c040 Thread C:\WINDOWS\system32\svchost.exe [544:1368] 00007ffee94c4d80 Thread C:\WINDOWS\system32\svchost.exe [544:1588] 00007ffee657a070 Thread C:\WINDOWS\system32\svchost.exe [544:1592] 00007ffee657a0f0 Thread C:\WINDOWS\system32\svchost.exe [544:2780] 00007ffedd5e0160 Thread C:\WINDOWS\system32\svchost.exe [544:2820] 00007ffedd5e5ab0 Thread C:\WINDOWS\system32\svchost.exe [544:2824] 00007ffedd5e9e00 Thread C:\WINDOWS\system32\svchost.exe [544:2828] 00007ffedd5e9720 Thread C:\WINDOWS\system32\svchost.exe [544:2832] 00007ffedd5e94f0 Thread C:\WINDOWS\system32\svchost.exe [544:2836] 00007ffedd439fd0 Thread C:\WINDOWS\system32\svchost.exe [544:2840] 00007ffedfdb4440 Thread C:\WINDOWS\system32\svchost.exe [544:3080] 00007ffedd5e8d30 Thread C:\WINDOWS\system32\svchost.exe [544:3708] 00007ffee94c5f20 Thread C:\WINDOWS\system32\svchost.exe [544:7536] 00007ffee6068850 Thread C:\WINDOWS\system32\svchost.exe [544:6356] 00007ffecae0df60 Thread C:\WINDOWS\system32\svchost.exe [544:9128] 00007ffecaded6e0 Thread C:\WINDOWS\system32\svchost.exe [544:9044] 00007ffecaded6e0 Thread C:\WINDOWS\system32\svchost.exe [544:3520] 00007ffee9e223e0 Thread C:\WINDOWS\system32\svchost.exe [628:1008] 00007ffedc74c550 Thread C:\WINDOWS\system32\svchost.exe [628:1624] 00007ffedc74c530 Thread C:\WINDOWS\system32\svchost.exe [1016:1932] 00007ffee0f9a640 Thread C:\WINDOWS\system32\svchost.exe [1016:2640] 00007ffede511a50 Thread C:\WINDOWS\system32\svchost.exe [1016:2760] 00007ffeddbf4ba0 Thread C:\WINDOWS\system32\svchost.exe [1016:2880] 00007ffedd411040 Thread C:\WINDOWS\system32\svchost.exe [1016:2884] 00007ffee0514c50 Thread C:\WINDOWS\system32\svchost.exe [1016:2888] 00007ffee0514c50 Thread C:\WINDOWS\system32\svchost.exe [1016:3000] 00007ffede1817f0 Thread C:\WINDOWS\system32\svchost.exe [1016:5728] 00007ffedfe72750 Thread C:\WINDOWS\system32\svchost.exe [1016:5380] 00007ffec938c480 Thread C:\WINDOWS\system32\svchost.exe [1016:1860] 00007ffec938c480 Thread C:\WINDOWS\system32\svchost.exe [1016:2572] 00007ffec938c480 Thread C:\WINDOWS\system32\svchost.exe [1016:1272] 00007ffec9368640 Thread C:\WINDOWS\system32\svchost.exe [1016:788] 00007ffec938c480 Thread C:\WINDOWS\system32\svchost.exe [1016:6480] 00007ffec938c480 Thread C:\WINDOWS\system32\svchost.exe [1016:7032] 00007ffec9397a10 Thread C:\WINDOWS\system32\svchost.exe [1376:1748] 00007ffedfe96aa0 Thread C:\WINDOWS\system32\svchost.exe [1376:2352] 00007ffedfe9b0c0 Thread C:\WINDOWS\system32\svchost.exe [1376:3396] 00007ffede2d1240 Thread C:\WINDOWS\system32\svchost.exe [1376:3404] 00007ffedbfd9490 Thread C:\WINDOWS\system32\svchost.exe [1376:3476] 00007ffeda6429b0 Thread C:\WINDOWS\system32\svchost.exe [1376:4068] 00007ffed9693d30 Thread C:\WINDOWS\system32\svchost.exe [1376:6604] 00007ffed96922b0 Thread C:\WINDOWS\System32\svchost.exe [1412:1716] 00007ffee18fb460 Thread C:\WINDOWS\System32\svchost.exe [1412:1780] 00007ffee1768e30 Thread C:\WINDOWS\System32\svchost.exe [1412:1784] 00007ffee14c54a0 Thread C:\WINDOWS\System32\svchost.exe [1412:1788] 00007ffee13e10a0 Thread C:\WINDOWS\System32\svchost.exe [1412:2128] 00007ffedfdb4440 Thread C:\WINDOWS\System32\svchost.exe [1412:3056] 00007ffedfc74460 Thread C:\WINDOWS\System32\svchost.exe [1412:3064] 00007ffedfc771f0 Thread C:\WINDOWS\System32\svchost.exe [1412:3068] 00007ffedfdb4440 Thread C:\WINDOWS\System32\svchost.exe [1412:7360] 00007ffec77a9dd0 Thread C:\WINDOWS\System32\svchost.exe [1412:7364] 00007ffec77a2450 Thread C:\WINDOWS\System32\svchost.exe [1412:7584] 00007ffeda6a1670 Thread C:\WINDOWS\Explorer.EXE [4240:6336] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:6000] 00007ffec62e39e0 Thread C:\WINDOWS\Explorer.EXE [4240:3544] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:8864] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:2752] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:4136] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:6964] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:1192] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:1800] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:5508] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:1352] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:7684] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:2588] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:8024] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:220] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:8188] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:2520] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:1040] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:8072] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:6772] 00007ffecb302360 Thread C:\WINDOWS\Explorer.EXE [4240:6892] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:7852] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:2188] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:7676] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:8420] 00007ffebd989b80 Thread C:\WINDOWS\Explorer.EXE [4240:8576] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:6040] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:7264] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:7240] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:1612] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:2764] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:8988] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:9084] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:6776] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:6560] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:5448] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:1140] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:9304] 00007ffec62f0250 Thread C:\WINDOWS\Explorer.EXE [4240:6592] 00007ffec62f0250 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [4972:5656] 00007ffee0b0fc00 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [4972:5700] 00007ffee0b0fc00 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [4972:5980] 00007ffee99d30f0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [4972:6512] 00007ffee0b0fc00 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [4972:9628] 00007ffee0b0fc00 Thread C:\WINDOWS\system32\SettingSyncHost.exe [5992:4172] 00007ffedd82c040 Thread C:\Users\Michal\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2472:8824] 0000000071868390 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [7232:6768] 00000000008599ef Thread C:\WINDOWS\SYSTEM32\ntdll.dll [9184:9040] 00000000008599ef Thread C:\WINDOWS\SYSTEM32\ntdll.dll [7904:6904] 00000000008599ef Thread C:\Program Files\Microsoft Office\Office15\EXCEL.EXE [9484:7700] 00007ffee99d30f0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2388:6060] 00000000008599ef Thread C:\WINDOWS\SYSTEM32\ntdll.dll [10148:8768] 00000000008599ef Thread C:\WINDOWS\SYSTEM32\ntdll.dll [9664:7352] 00000000008599ef Thread C:\WINDOWS\SYSTEM32\ntdll.dll [7656:5752] 00000000008599ef ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 535334416 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\34e6ada9c44f Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8b51a561-8c6e-4d80-b63e-453429fc7ddf}@LeaseObtainedTime 1469416250 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8b51a561-8c6e-4d80-b63e-453429fc7ddf}@T1 1469419850 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8b51a561-8c6e-4d80-b63e-453429fc7ddf}@T2 1469422550 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8b51a561-8c6e-4d80-b63e-453429fc7ddf}@LeaseTerminatesTime 1469423450 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xC0 0xD2 0x9D 0x19 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xC0 0x3A 0x62 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xC0 0x6A 0xD9 0xB7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x75 0x43 0x18 0x14 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE7CD045-E861-484F-8273-0445EE161910}\iexplore@Count 1045 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 1046 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x1C 0x76 0x71 0x2A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x1C 0x76 0x71 0x2A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x1C 0x76 0x71 0x2A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x1C 0x76 0x71 0x2A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x72 0x84 0x17 0xE4 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 132 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC@1 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG\AVG Protection.lnk?C:\Program Files (x86)\AVG\Av\avgui.exe?? ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----