GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-11 18:10:12 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 WDC_WD10JPVX-22JC3T0 rev.01.01A01 931,51GB Running: gmer.exe; Driver: C:\Users\Andrzej\AppData\Local\Temp\ugldrpob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [7688] entry point in ".rdata" section 0000000071d01350 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [7688] entry point in ".rdata" section 00000000719dc940 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7688] entry point in ".rdata" section 000000007349a020 ? C:\Windows\System32\OneCoreUAPCommonProxyStub.dll [7688] entry point in ".rdata" section 000000006b137ec0 ? C:\WINDOWS\system32\apphelp.dll [8752] entry point in ".rdata" section 000000006b03f7c0 ? C:\Windows\System32\iertutil.dll [8752] entry point in ".rdata" section 0000000071d01350 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [8752] entry point in ".rdata" section 000000007349a020 ? C:\WINDOWS\system32\ncryptsslp.dll [8752] entry point in ".rdata" section 00000000734704f0 ? C:\WINDOWS\SYSTEM32\srpapi.dll [8752] entry point in ".rdata" section 000000006afd6100 ? C:\WINDOWS\system32\apphelp.dll [2056] entry point in ".rdata" section 000000006b03f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [684:4496] ffffea46fd376c20 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:5032] 00007ffcbb0659c0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:5304] 00007ffcaff93890 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:6496] 00007ffcb3d248e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:6676] 00007ffcbb0670d0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:6584] 00007ffcb9b011a0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:6664] 00007ffcabcde010 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:6612] 00007ffc9c100610 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:1972] 00007ffc9c17a430 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:6112] 00007ffc9c1387a0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:2032] 00007ffc9c17a430 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:1332] 00007ffc9c181e90 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6068:6420] 00007ffcbb132a50 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1616426135 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c48e8f7f2b3a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c48e8f7f2b3a@94236e29de03 0xF3 0x13 0xD0 0x49 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-6e-1f-66-28-66@ClientLocalPort 56811 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-6e-1f-66-28-66@AddressCreationTimestamp 0x12 0x74 0x36 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-6e-1f-66-28-66@NatDetectionTimestamp 0x12 0x74 0x36 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-6e-1f-66-28-66@TeredoAddress 2001:0:9d38:6abd:2439:2214:4303:ed1c Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\3@Timestamp 0x74 0x3B 0x93 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 533 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x42 0xCA 0x20 0xE2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x42 0x32 0xE5 0x43 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x42 0x62 0x5C 0x80 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----