GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-26 20:03:26 Windows 6.3.9600 x64 \Device\Harddisk0\DR0 -> \Device\00000035 ST1000DM003-1SB102 rev.CC43 931,51GB Running: h4qfbcrp.exe; Driver: C:\Users\Dozo81\AppData\Local\Temp\pxldapog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\system32\ntoskrnl.exe!NtCallbackReturn + 960 fffff80165d5c100 84 bytes [00, DE, A4, FF, 42, 6B, 3E, ...] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE[UxTheme.dll!DrawThemeBackground] [ad70060] IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE[UxTheme.dll!DrawThemeText] [ad70080] IAT C:\Windows\Explorer.EXE[1084] @ C:\Windows\Explorer.EXE[UxTheme.dll!DrawThemeTextEx] [ad700a0] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [480:504] fffff9600092b2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions NOEXECUTE=OPTIN Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\MSBDD_NOEDID_1414_008D_FFFFFFFF_FFFFFFFF_0^CC77560BC3634A486857716562968286@Timestamp 0x7C 0xF0 0x21 0x9B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 676 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900103 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1879317266 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 126 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 487496108 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 10267 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 10269 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 1736a417-752b-4408-97a5-2b41b64 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{bb88dab1-0592-4962-b3fa-2fbb0d6499a5}@LastProbeTime 1477510470 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1697 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 668 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{536EEE44-E113-4F25-AE57-6C154515E82F}@LeaseObtainedTime 1477503267 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{536EEE44-E113-4F25-AE57-6C154515E82F}@T1 1477506867 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{536EEE44-E113-4F25-AE57-6C154515E82F}@T2 1477509567 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{536EEE44-E113-4F25-AE57-6C154515E82F}@LeaseTerminatesTime 1477510467 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code