GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-18 18:38:38 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: 35tbmy9b.exe; Driver: C:\Users\SEBAST~1\AppData\Local\Temp\pwldapob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000ef100 15 bytes [40, 23, ED, 01, 00, BC, 69, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff960000ef110 8 bytes [00, 96, FC, FF, 00, C1, DD, ...] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [9148:4468] fffff960008b22d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -612225025 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\f81654566471 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\f81654566471@5055270d075c 0xD8 0xF3 0xD9 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 11537 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 6198 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07B3CAF1-C843-434F-B784-C961A745ADBA}@LeaseObtainedTime 1484753337 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07B3CAF1-C843-434F-B784-C961A745ADBA}@T1 1484796537 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07B3CAF1-C843-434F-B784-C961A745ADBA}@T2 1484828937 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{07B3CAF1-C843-434F-B784-C961A745ADBA}@LeaseTerminatesTime 1484839737 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList@MRUList ba ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----