GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-25 22:24:13 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d M4-CT128M4SSD2 rev.070H 119,24GB Running: vpkltiso.exe; Driver: C:\Users\R44\AppData\Local\Temp\pxldrpob.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\SYSTEM32\wship6.dll [1904] entry point in ".rdata" section 00000000711f24b0 ? C:\Windows\system32\wbem\wbemsvc.dll [1904] entry point in ".rdata" section 000000006efa8fa0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd701a5220 5 bytes JMP 00007ffcf02e0480 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd701a52c0 5 bytes JMP 00007ffcf02e0470 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd701a5580 5 bytes JMP 00007ffcf02e0360 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd701a5620 5 bytes JMP 00007ffcf02e0490 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd701a5640 1 byte JMP 00007ffcf02e03d0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 00007ffd701a5642 3 bytes {JMP 0xffffffff8013ad90} .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd701a57a0 5 bytes JMP 00007ffcf02e0310 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd701a5800 5 bytes JMP 00007ffcf02e03a0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd701a5840 5 bytes JMP 00007ffcf02e0380 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd701a58c0 5 bytes JMP 00007ffcf02e02d0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd701a59c0 5 bytes JMP 00007ffcf02e02c0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd701a5a00 5 bytes JMP 00007ffcf02e0300 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd701a5a80 5 bytes JMP 00007ffcf02e03b0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00007ffd701a5b00 5 bytes JMP 00007ffcf02e0440 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd701a5b20 5 bytes JMP 00007ffcf02e03e0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd701a5db0 5 bytes JMP 00007ffcf02e0220 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd701a61b0 5 bytes JMP 00007ffcf02e04a0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd701a6210 5 bytes JMP 00007ffcf02e0390 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd701a6490 5 bytes JMP 00007ffcf02e02e0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd701a64d0 5 bytes JMP 00007ffcf02e0340 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd701a65b0 5 bytes JMP 00007ffcf02e0280 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd701a66f0 5 bytes JMP 00007ffcf02e02a0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd701a6730 1 byte JMP 00007ffcf02e03c0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00007ffd701a6732 3 bytes {JMP 0xffffffff80139c90} .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd701a6750 5 bytes JMP 00007ffcf02e0320 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd701a68b0 5 bytes JMP 00007ffcf02e0410 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd701a6910 5 bytes JMP 00007ffcf02e0230 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffd701a6d30 5 bytes JMP 00007ffcf02e03f0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd701a6f90 5 bytes JMP 00007ffcf02e01d0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd701a7150 5 bytes JMP 00007ffcf02e0240 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd701a71b0 5 bytes JMP 00007ffcf02e04b0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd701a71d0 5 bytes JMP 00007ffcf02e04c0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd701a7230 5 bytes JMP 00007ffcf02e02f0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd701a7250 5 bytes JMP 00007ffcf02e0350 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd701a7310 5 bytes JMP 00007ffcf02e0290 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd701a73d0 5 bytes JMP 00007ffcf02e02b0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd701a7430 5 bytes JMP 00007ffcf02e0370 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd701a7450 5 bytes JMP 00007ffcf02e0330 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd701a7a70 5 bytes JMP 00007ffcf02e0460 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00007ffd701a7d30 5 bytes JMP 00007ffcf02e0420 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd701a7e90 5 bytes JMP 00007ffcf02e0250 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd701a7eb0 5 bytes JMP 00007ffcf02e0260 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd701a7ef0 5 bytes JMP 00007ffcf02e0400 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd701a82d0 5 bytes JMP 00007ffcf02e01e0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd701a82f0 5 bytes JMP 00007ffcf02e0200 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd701a8410 5 bytes JMP 00007ffcf02e01f0 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd701a84f0 5 bytes JMP 00007ffcf02e0430 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd701a8510 5 bytes JMP 00007ffcf02e0450 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd701a8530 5 bytes JMP 00007ffcf02e0210 .text C:\Windows\Explorer.EXE[2640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd701a8750 5 bytes JMP 00007ffcf02e0270 ? C:\Windows\SYSTEM32\iertutil.dll [3116] entry point in ".rdata" section 00000000727616b0 ? C:\Windows\system32\wbem\wbemsvc.dll [3116] entry point in ".rdata" section 000000006efa8fa0 ? C:\Windows\SYSTEM32\NTASN1.dll [3116] entry point in ".rdata" section 000000007151bb10 ? C:\Windows\SYSTEM32\PhotoMetadataHandler.dll [3116] entry point in ".rdata" section 00000000624d5fc0 ? C:\Windows\SYSTEM32\srpapi.dll [3116] entry point in ".rdata" section 0000000062402aa0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [3116] entry point in ".rdata" section 000000006276bd10 ? C:\Windows\SYSTEM32\ActXPrxy.dll [5540] entry point in ".rdata" section 000000006276bd10 ? C:\Windows\SYSTEM32\mfwmaaec.dll [5540] entry point in ".rdata" section 0000000057c23540 ? C:\Windows\SYSTEM32\NTASN1.dll [5952] entry point in ".rdata" section 000000007151bb10 ? C:\Windows\system32\wbem\wbemsvc.dll [5964] entry point in ".rdata" section 000000006efa8fa0 ? C:\Windows\SYSTEM32\iertutil.dll [5964] entry point in ".rdata" section 00000000727616b0 ? C:\Windows\system32\apphelp.dll [6236] entry point in ".rdata" section 0000000071350380 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [612:772] fffff96079974030 Thread C:\Windows\system32\csrss.exe [612:780] fffff96079974030 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xB2 0x89 0x2A 0x75 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xC4 0x92 0xCB 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xB2 0x89 0x2A 0x75 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x0F 0xF5 0xCD 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 78 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\ACI26A38CLMTF139184_34_07D8_5C+SAM060A0_1D_07D9_66^66A4E6E58B73FCCE2AC8C2808CAE2FC1@Timestamp 0xDF 0xAB 0xFE 0x75 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 720 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 917949350 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID a01d785d-7ece-4bcd-b0d6-ba3d914 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{351ef66f-368f-4041-821e-b2bf2da78e1a} Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS_s Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0026831775fc Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{e09f98bb-a283-40dc-a145-e87a59e082a6}@LastProbeTime 1480103717 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_50517\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_50517\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_50517\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_50517\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_50517\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_50517\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_50517\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_50517\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_50517\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_50517\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_50517\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_50517\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_50517\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1883 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 399 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 77 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ca3dc87e-25c8-41c7-8033-18f478b0b8ed}@LeaseObtainedTime 1480100116 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ca3dc87e-25c8-41c7-8033-18f478b0b8ed}@T1 1480143316 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ca3dc87e-25c8-41c7-8033-18f478b0b8ed}@T2 1480175716 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ca3dc87e-25c8-41c7-8033-18f478b0b8ed}@LeaseTerminatesTime 1480186516 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{ca3dc87e-25c8-41c7-8033-18f478b0b8ed}@Dhcpv6InformationObtainedTime 1480100116 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_50517\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_50517\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_50517\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_50517\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xF0 0x08 0xA0 0xC1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xF0 0x70 0x64 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xF0 0xA0 0xDB 0x5F ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds E7CF176E110C211B?Microsoft.Windows.ControlPanel? ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----