GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-30 11:37:18 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 PLEXTOR_PX-256M6V rev.1.04 238,47GB Running: d41lkw6r.exe; Driver: C:\Users\Damian\AppData\Local\Temp\awndqpog.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [10876] entry point in ".rdata" section 000000006b4d1590 ? C:\Windows\System32\ActXPrxy.dll [10876] entry point in ".rdata" section 000000006b729c50 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [12256] entry point in ".rdata" section 0000000073f1c940 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [12256] entry point in ".rdata" section 00000000741c8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [12256] entry point in ".rdata" section 000000006b4d1590 ? C:\WINDOWS\system32\apphelp.dll [15368] entry point in ".rdata" section 000000006fdcf7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\services.exe [768:3656] 00007ffff130dbe0 Thread C:\WINDOWS\system32\services.exe [768:9056] 00007ffff130dbe0 Thread C:\WINDOWS\system32\services.exe [768:10680] 00007ffff130dbe0 Thread C:\WINDOWS\system32\svchost.exe [872:996] 00007ffffc15f950 Thread C:\WINDOWS\system32\svchost.exe [872:1000] 00007ffffc15ed20 Thread C:\WINDOWS\system32\svchost.exe [872:1012] 00007ffffbf78ae0 Thread C:\WINDOWS\System32\svchost.exe [492:3364] 00007ffff41aac90 Thread C:\WINDOWS\System32\svchost.exe [492:7448] 00007ffff41a3590 Thread C:\WINDOWS\System32\svchost.exe [492:10216] 00007ffff73a5bc0 Thread C:\WINDOWS\System32\svchost.exe [484:212] 00007ffff130dbe0 Thread C:\WINDOWS\System32\svchost.exe [484:2552] 00007ffff130dbe0 Thread C:\WINDOWS\System32\svchost.exe [484:4176] 00007ffff130dbe0 Thread C:\WINDOWS\system32\svchost.exe [1120:2212] 00007ffff556af40 Thread C:\WINDOWS\system32\svchost.exe [1120:2252] 00007ffff556ca00 Thread C:\WINDOWS\system32\svchost.exe [1120:3320] 00007ffff1c11240 Thread C:\WINDOWS\system32\svchost.exe [1120:3324] 00007fffeefda3b0 Thread C:\WINDOWS\system32\svchost.exe [1120:3600] 00007fffed4e25e0 Thread C:\WINDOWS\system32\svchost.exe [1120:3508] 00007fffe8b83bc0 Thread C:\WINDOWS\system32\svchost.exe [1120:7772] 00007fffe8b82080 Thread C:\WINDOWS\system32\svchost.exe [1284:1632] 00007ffff6f4ef50 Thread C:\WINDOWS\system32\svchost.exe [1284:1740] 00007ffff6e63270 Thread C:\WINDOWS\system32\svchost.exe [1284:1900] 00007ffffca86750 Thread C:\WINDOWS\system32\svchost.exe [1284:2576] 00007ffff4771a50 Thread C:\WINDOWS\system32\svchost.exe [1284:3432] 00007ffffca86750 Thread C:\WINDOWS\system32\svchost.exe [1284:3944] 00007fffebff1040 Thread C:\WINDOWS\system32\svchost.exe [1284:3988] 00007ffff62a48e0 Thread C:\WINDOWS\system32\svchost.exe [1284:4004] 00007ffff62a48e0 Thread C:\WINDOWS\System32\svchost.exe [1292:2020] 00007ffff5ed87e0 Thread C:\WINDOWS\System32\svchost.exe [1292:3640] 00007ffff130dbe0 Thread C:\WINDOWS\System32\svchost.exe [1292:5872] 00007ffff130dbe0 Thread C:\WINDOWS\System32\svchost.exe [1292:13556] 00007ffff51f2400 Thread C:\WINDOWS\system32\svchost.exe [1708:1016] 00007ffff73a5bc0 Thread C:\WINDOWS\system32\svchost.exe [1708:1148] 00007ffff73b7d70 Thread C:\WINDOWS\system32\svchost.exe [1708:3340] 00007ffff4ebb180 Thread C:\WINDOWS\system32\svchost.exe [1708:3372] 00007ffff4ebf5f0 Thread C:\WINDOWS\system32\svchost.exe [1840:1876] 00007ffff690e830 Thread C:\WINDOWS\system32\svchost.exe [1840:1888] 00007ffff65d10a0 Thread C:\Program Files\Windows Defender\MsMpEng.exe [2360:1272] 00007fffd27db5c0 Thread C:\Program Files\Windows Defender\MsMpEng.exe [2360:3264] 00007fffd27db5c0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [6884:13204] 0000000000aa637b Thread C:\WINDOWS\system32\ApplicationFrameHost.exe [3824:9432] 00007ffffe5759c0 Thread C:\WINDOWS\system32\ApplicationFrameHost.exe [3824:11308] 00007ffffe5759c0 Thread C:\WINDOWS\system32\ApplicationFrameHost.exe [3824:5100] 00007ffffe5759c0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1102124628 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x7A 0xAF 0xA9 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x7A 0x17 0x6E 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x7A 0x47 0xE5 0xA2 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting@CachedFeatureString Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x15 0xB7 0xEF 0xC7 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DD1D765C-D78C-48CB-8408-C29E5B50076D}@LastAccessedTime 0xA0 0xB9 0x9A 0x0B ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DD1D765C-D78C-48CB-8408-C29E5B50076D}@LaunchCount 1 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Users\Damian\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3388ECC3F7BC4A9271C10ED8621E5A65_5EC74C1E848811A55783F85C061D2A4D 0 bytes File C:\Users\Damian\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3388ECC3F7BC4A9271C10ED8621E5A65_5EC74C1E848811A55783F85C061D2A4D 0 bytes ---- EOF - GMER 2.2 ----