GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-21 19:40:32 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000022 TOSHIBA_MQ01ABF050 rev.AM0P2C 465,76GB Running: gmer.exe; Driver: C:\Users\JANUSZ~1\AppData\Local\Temp\kxldypog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001df900 15 bytes [00, 16, EC, 01, 80, 20, 6A, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff960001df910 11 bytes [00, CC, FB, FF, 40, 14, C0, ...] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [688:6568] fffff960008192d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD04650_00_07DE_89^F565DF2B5CA5DA38FB5F599A72AB2B71@Timestamp 0x05 0xB5 0x66 0xC5 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da@ACSettingIndex 1200 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 837853075 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 9262296 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 9258507 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 9258507 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 9258918 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 345 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x7A 0x77 0xC8 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\48e2442d6aa0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\48e2442d6aa0@94ce2c1909b3 0x43 0xD8 0x67 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{40F92C55-95AC-462D-A011-FCA91D0992EB}@DefunctTimestamp 0xF3 0x60 0xCE 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{E09A9D0B-6B48-4CD8-8F02-AA3C3739FE1C}@DefunctTimestamp 0x49 0x26 0xD0 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\24-00-ba-e9-ce-82@AddressCreationTimestamp 0xE3 0x6D 0xE1 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\24-00-ba-e9-ce-82@UPnPState 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\24-00-ba-e9-ce-82@ClientLocalPort 51202 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\24-00-ba-e9-ce-82@TeredoAddress 2001:0:9d38:90d7:2c24:e500:dad0:ff6a Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\24-00-ba-e9-ce-82@UPnPExternalPort 51202 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5526 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 5255 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 5944 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EB4C3F07-961E-4C73-AD59-7D26EAE5A8C6}@DhcpIPAddress 192.168.1.22 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EB4C3F07-961E-4C73-AD59-7D26EAE5A8C6}@LeaseObtainedTime 1490083045 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EB4C3F07-961E-4C73-AD59-7D26EAE5A8C6}@T1 1490126245 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EB4C3F07-961E-4C73-AD59-7D26EAE5A8C6}@T2 1490158645 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EB4C3F07-961E-4C73-AD59-7D26EAE5A8C6}@LeaseTerminatesTime 1490169445 Reg HKLM\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters\Interfaces\{EB4C3F07-961E-4C73-AD59-7D26EAE5A8C6}@Dhcpv6InformationObtainedTime 1490083042 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters\Wdf@TimeOfLastSqmLog 0x7C 0x1A 0x01 0x3C ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Users\Janusz042\AppData\Local\Microsoft\Windows\Notifications\8b9c1fdfc50111e5826448e2442d6aa0\BByvEn0[1].jpg 10703 bytes File C:\Users\Janusz042\AppData\Local\Microsoft\Windows\Notifications\8b9c1fdfc50111e5826448e2442d6aa0\BByxpsK[2].jpg 9737 bytes ---- EOF - GMER 2.2 ----