GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-06 22:04:59 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000039 Micron_M600_MTFDDAV256MBF rev.MA01 238.47GB Running: r69z9y9j.exe; Driver: C:\Users\maja\AppData\Local\Temp\kwedipob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [10048] entry point in ".rdata" section 000000006c94c940 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [10048] entry point in ".rdata" section 0000000064b9a020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [10048] entry point in ".rdata" section 000000006d0d1590 ? C:\WINDOWS\system32\apphelp.dll [8012] entry point in ".rdata" section 000000006a53f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8012] entry point in ".rdata" section 000000006d0d1590 ? C:\WINDOWS\SYSTEM32\iertutil.dll [10676] entry point in ".rdata" section 000000006d0d1590 ? C:\WINDOWS\SYSTEM32\iertutil.dll [13060] entry point in ".rdata" section 000000006d0d1590 ? C:\WINDOWS\system32\apphelp.dll [9280] entry point in ".rdata" section 000000006a53f7c0 ---- Threads - GMER 2.2 ---- Thread System [4:1516] ffffad89320b5630 Thread C:\WINDOWS\system32\svchost.exe [876:1008] 00007ffb0eb8f950 Thread C:\WINDOWS\system32\svchost.exe [876:1012] 00007ffb0eb8ed20 Thread C:\WINDOWS\system32\svchost.exe [876:328] 00007ffb0e9a8ae0 Thread C:\WINDOWS\system32\svchost.exe [360:9400] 00007ffafaffdbe0 Thread C:\WINDOWS\system32\svchost.exe [360:9404] 00007ffafaffdbe0 Thread C:\WINDOWS\system32\svchost.exe [360:9440] 00007ffafaffdbe0 Thread C:\WINDOWS\system32\svchost.exe [360:6272] 00007ffaed5d5b60 Thread C:\WINDOWS\System32\svchost.exe [400:1544] 00007ffb0a4ff050 Thread C:\WINDOWS\System32\svchost.exe [400:1572] 00007ffb08da87e0 Thread C:\WINDOWS\System32\svchost.exe [400:1828] 00007ffb0806c030 Thread C:\WINDOWS\System32\svchost.exe [400:1876] 00007ffb08067000 Thread C:\WINDOWS\System32\svchost.exe [400:1880] 00007ffb08068370 Thread C:\WINDOWS\System32\svchost.exe [400:1884] 00007ffb0806ad30 Thread C:\WINDOWS\System32\svchost.exe [400:3992] 00007ffb08e330f0 Thread C:\WINDOWS\System32\svchost.exe [400:8068] 00007ffafaffdbe0 Thread C:\WINDOWS\System32\svchost.exe [400:8072] 00007ffafaffdbe0 Thread C:\WINDOWS\System32\svchost.exe [400:12520] 00007ffb0806c830 Thread C:\WINDOWS\System32\svchost.exe [400:2672] 00007ffb08067d50 Thread C:\WINDOWS\System32\svchost.exe [400:13212] 00007ffb00922400 Thread C:\WINDOWS\system32\svchost.exe [1088:8484] 00007ffb08e330f0 Thread C:\WINDOWS\system32\svchost.exe [1088:11352] 00007ffafaffdbe0 Thread C:\WINDOWS\system32\svchost.exe [1088:8388] 00007ffafaffdbe0 Thread C:\WINDOWS\system32\svchost.exe [1088:11076] 00007ffafaffdbe0 Thread C:\WINDOWS\system32\svchost.exe [1088:12004] 00007ffadeab0c20 Thread C:\WINDOWS\system32\svchost.exe [1088:7976] 00007ffadeab0c20 Thread C:\Windows\System32\WUDFHost.exe [1100:1332] 00007ffb0d4ca990 Thread C:\Windows\System32\WUDFHost.exe [1100:1372] 00007ffb0d4a7790 Thread C:\Windows\System32\WUDFHost.exe [1100:1400] 00007ffb0d4ca990 Thread C:\Windows\System32\WUDFHost.exe [1100:1404] 00007ffb0d4cc3b0 Thread C:\Windows\System32\WUDFHost.exe [1100:2108] 00007ffb03886e70 Thread C:\Windows\System32\WUDFHost.exe [1100:2112] 00007ffb0d4bed90 Thread C:\Windows\System32\WUDFHost.exe [1100:2116] 00007ffb08cc2cf0 Thread C:\Windows\System32\WUDFHost.exe [1100:2120] 00007ffb0d4bed90 Thread C:\Windows\System32\WUDFHost.exe [1100:2124] 00007ffb036ced10 Thread C:\Windows\System32\WUDFHost.exe [1100:2128] 00007ffb0d4c6e3c Thread C:\Windows\System32\WUDFHost.exe [1100:2136] 00007ffb03543b60 Thread C:\WINDOWS\system32\svchost.exe [1228:3780] 00007ffafbdc1240 Thread C:\WINDOWS\system32\svchost.exe [1228:3784] 00007ffafbe3a3b0 Thread C:\WINDOWS\system32\svchost.exe [1228:3840] 00007ffafa7025e0 Thread C:\WINDOWS\system32\svchost.exe [1228:3304] 00007ffb0a833bc0 Thread C:\WINDOWS\system32\svchost.exe [1228:1948] 00007ffb0a832080 Thread C:\WINDOWS\system32\svchost.exe [1320:12244] 00007ffb00b72a20 Thread C:\WINDOWS\system32\svchost.exe [1320:7932] 00007ffb00b72610 Thread C:\WINDOWS\system32\svchost.exe [1784:1564] 00007ffb06965bd0 Thread C:\WINDOWS\system32\svchost.exe [1784:1740] 00007ffb06969b20 Thread C:\WINDOWS\system32\svchost.exe [1852:2036] 00007ffb06cd44b0 Thread C:\WINDOWS\system32\svchost.exe [1852:1808] 00007ffb0f4b6750 Thread [1896:1956] 00000000740f7ea0 Thread C:\WINDOWS\System32\spoolsv.exe [1988:4736] 00007ffafb945bc0 Thread C:\WINDOWS\System32\spoolsv.exe [1988:7428] 00007ffafc002740 Thread C:\WINDOWS\system32\WLANExt.exe [404:2056] 00007ffb04b44094 Thread C:\WINDOWS\system32\WLANExt.exe [404:2060] 00007ffb052cb2b0 Thread C:\WINDOWS\system32\WLANExt.exe [404:2072] 00007ffb04b44094 Thread C:\WINDOWS\system32\WLANExt.exe [404:2856] 00007ffb08cc2cf0 Thread C:\WINDOWS\system32\WLANExt.exe [404:3732] 00007ffb08cc2cf0 Thread C:\WINDOWS\system32\WLANExt.exe [404:4044] 00007ffb05228ef0 Thread C:\WINDOWS\system32\WLANExt.exe [404:4048] 00007ffb045746d0 Thread C:\WINDOWS\system32\WLANExt.exe [404:4052] 00007ffb045746ec Thread C:\WINDOWS\system32\WLANExt.exe [404:4056] 00007ffb045746b4 Thread C:\WINDOWS\system32\WLANExt.exe [404:4060] 00007ffb08cc2cf0 Thread C:\Windows\System32\WUDFHost.exe [2184:2236] 00007ffb02764a20 Thread C:\Windows\System32\WUDFHost.exe [2184:2272] 00007ffb02764a20 Thread C:\Windows\System32\WUDFHost.exe [2184:2280] 00007ffb02649b68 Thread C:\WINDOWS\system32\svchost.exe [2248:2400] 00007ffb036ced10 Thread C:\WINDOWS\system32\svchost.exe [2248:2408] 00007ffb02674180 Thread C:\WINDOWS\system32\svchost.exe [2248:2412] 00007ffb02674180 Thread C:\WINDOWS\system32\svchost.exe [2248:3980] 00007ffafa2eb180 Thread C:\WINDOWS\system32\svchost.exe [2248:3984] 00007ffafa2ef5f0 Thread C:\WINDOWS\system32\svchost.exe [2248:4980] 00007ffafb945bc0 Thread C:\WINDOWS\system32\svchost.exe [2248:4984] 00007ffafb957d70 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2480:3008] 00007ffaffce8380 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2480:3020] 00007ffaffceb130 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2480:3040] 00007ffaffce8380 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2480:2340] 00007ffaffce8380 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2480:3668] 00007ffafb87502c Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2480:4356] 00007ffaffce8380 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2480:8960] 00007ffaffce8380 Thread C:\WINDOWS\system32\svchost.exe [2860:3300] 00007ffb11b03db0 Thread C:\WINDOWS\system32\svchost.exe [2860:3396] 00007ffafc64c070 Thread C:\WINDOWS\system32\svchost.exe [2860:3400] 00007ffafc64e6e0 Thread C:\WINDOWS\system32\svchost.exe [2860:5796] 00007ffafb945bc0 Thread C:\WINDOWS\system32\svchost.exe [2860:13012] 00007ffafc002740 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2696:1116] 00007ffaf8cc7944 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2696:1340] 00007ffaf8b8beb4 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2696:3844] 00007ffaf8b8beb4 Thread C:\WINDOWS\System32\dwm.exe [5588:5412] 00007ffb0c2cea60 Thread C:\WINDOWS\system32\taskhostw.exe [9092:8688] 00007ffb0c8c1160 Thread C:\WINDOWS\system32\taskhostw.exe [9092:2612] 00007ffb0c8c1a20 Thread C:\WINDOWS\system32\taskhostw.exe [9092:13096] 00007ffb11dab600 Thread C:\WINDOWS\system32\taskhostw.exe [9092:6096] 00007ffb03821ba0 Thread C:\WINDOWS\system32\taskhostw.exe [9092:9072] 00007ffaf530a3b0 Thread C:\WINDOWS\system32\taskhostw.exe [9092:1644] 00007ffb00d27930 Thread C:\WINDOWS\system32\taskhostw.exe [9092:10908] 00007ffb00d27930 Thread C:\WINDOWS\system32\taskhostw.exe [9092:8956] 00007ffb00d27930 Thread C:\WINDOWS\system32\taskhostw.exe [9092:12128] 00007ffb0e0830f0 Thread C:\WINDOWS\system32\taskhostw.exe [9092:1848] 00007ffafaffdbe0 Thread C:\WINDOWS\system32\taskhostw.exe [9092:12456] 00007ffafaffdbe0 Thread C:\Windows\System32\RuntimeBroker.exe [1872:4888] 00007ffb06881ba0 Thread C:\Windows\System32\RuntimeBroker.exe [1872:9756] 00007ffb0e002880 Thread C:\Windows\System32\RuntimeBroker.exe [1872:7348] 00007ffb0a7bbb70 Thread C:\WINDOWS\Explorer.EXE [11708:2632] 00007ffaf36763b0 Thread C:\WINDOWS\Explorer.EXE [11708:11364] 00007ffaf36763b0 Thread C:\WINDOWS\Explorer.EXE [11708:3212] 00007ffaf36763b0 Thread C:\WINDOWS\Explorer.EXE [11708:12796] 00007ffb08cc2cf0 Thread C:\WINDOWS\Explorer.EXE [11708:10300] 00007ffb0a7bbb70 Thread C:\WINDOWS\Explorer.EXE [11708:8232] 00007ffb08cc2cf0 Thread C:\WINDOWS\Explorer.EXE [11708:7648] 00007ffb08cc2cf0 Thread C:\WINDOWS\Explorer.EXE [11708:9096] 00007ffb06881ba0 Thread C:\WINDOWS\Explorer.EXE [11708:6512] 00007ffadd3cffd0 Thread C:\WINDOWS\Explorer.EXE [11708:3812] 00007ffaf4b136f0 Thread C:\WINDOWS\Explorer.EXE [11708:5052] 00007ffaf4b220e0 Thread C:\WINDOWS\Explorer.EXE [11708:4696] 00007ffaf4b220e0 Thread C:\WINDOWS\Explorer.EXE [11708:4444] 00007ffb0fb4faa0 Thread C:\WINDOWS\Explorer.EXE [11708:1444] 00007ffb03ce5110 Thread C:\WINDOWS\Explorer.EXE [11708:6544] 00007ffb08cc2cf0 Thread C:\WINDOWS\Explorer.EXE [11708:5188] 00007ffaf4b220e0 Thread C:\WINDOWS\Explorer.EXE [11708:3648] 00007ffaf4b220e0 Thread C:\WINDOWS\Explorer.EXE [11708:6836] 00007ffaf4b220e0 Thread C:\WINDOWS\Explorer.EXE [11708:11292] 00007ffaf4b220e0 Thread [7172:3872] 00000000772476e0 Thread [7172:4944] 0000000077216140 Thread [7172:5624] 0000000077216140 Thread [7172:3632] 000000005f249996 Thread [7172:10360] 000000005f249996 Thread [7172:10256] 000000005f88bfb4 Thread [7172:12220] 000000005f88bfb4 Thread [7172:1892] 000000005f88bfb4 Thread [7172:12712] 000000005f88bfb4 Thread [7172:9524] 000000005f88bfb4 Thread [7172:5980] 00000000742b57d0 Thread [7172:7972] 0000000077216140 Thread [7172:6136] 00000000730d4410 Thread [7172:9252] 000000005f88bfb4 Thread [7172:1212] 000000005f88bfb4 Thread [7172:5236] 000000005f88bfb4 Thread [7172:6008] 000000005f88bfb4 Thread [7172:10348] 000000005f88bfb4 Thread [7172:9372] 0000000077216140 Thread [7172:192] 0000000069fa2600 Thread [7172:11204] 000000005f562823 Thread [7172:2132] 000000005f562823 Thread [7172:9268] 000000005f562823 Thread [7172:10448] 000000005f562823 Thread [7172:12380] 000000005f4a6be0 Thread [7172:13248] 000000005f4a6be0 Thread [7172:5896] 000000005f4a6be0 Thread [7172:2100] 000000005f8dc9a7 Thread [7172:5848] 000000005eddb835 Thread [7172:11808] 000000005eddb835 Thread [7172:7512] 000000005eddb835 Thread [7172:8488] 0000000077216140 Thread [7172:9232] 0000000077216140 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\VsHub\1.0.0.0\vshub.exe [7328:3424] 000000006c84b960 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\VsHub\1.0.0.0\Microsoft.VsHub.Server.HttpHost.exe [11432:12552] 000000006c84b960 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\VsHub\1.0.0.0\Microsoft.VsHub.Server.HttpHost.exe [11432:8056] 0000000069fa2600 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [13060:6080] 000000000122e26c ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c\7516b95f-f776-4464-8c53-06167f40cc99\aded5e82-b909-4619-9949-f5d71dac0bcb@ACSettingIndex 30 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1173191071 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\4c3488a39e0d Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4888 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2315 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4fec21a6-8c05-46b5-b8e5-c2279687342d}@LeaseObtainedTime 1481046365 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4fec21a6-8c05-46b5-b8e5-c2279687342d}@T1 1481348765 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4fec21a6-8c05-46b5-b8e5-c2279687342d}@T2 1481575565 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4fec21a6-8c05-46b5-b8e5-c2279687342d}@LeaseTerminatesTime 1481651165 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{4fec21a6-8c05-46b5-b8e5-c2279687342d}@Dhcpv6State 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xF9 0x29 0x1C 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xF9 0x91 0xE0 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xF9 0xC1 0x57 0xFD ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----