GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-08 15:13:16 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000027 ST1000DM003-1SB102 rev.CC43 931,51GB Running: oycebg8s.exe; Driver: C:\Users\Mateu\AppData\Local\Temp\kwrdafob.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\SYSTEM32\iertutil.dll [5360] entry point in ".rdata" section 0000000072463150 ? C:\Windows\SYSTEM32\NTASN1.dll [5360] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [5360] entry point in ".rdata" section 00000000736cc940 ? C:\Windows\System32\OneCoreUAPCommonProxyStub.dll [5360] entry point in ".rdata" section 0000000073997ec0 ? C:\Windows\system32\apphelp.dll [5516] entry point in ".rdata" section 000000007365f7c0 ? C:\Windows\system32\apphelp.dll [2824] entry point in ".rdata" section 000000007365f7c0 ---- Devices - GMER 2.2 ---- Device \Driver\Ndisuio \Device\Ndisuio fffff803e387d0d0 Device \Driver\Ndisuio \Device\WwanProt fffff803e387d0d0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [1236:2672] 00007ffc390e1240 Thread C:\Windows\system32\svchost.exe [1236:2684] 00007ffc3746a3b0 Thread C:\Windows\system32\svchost.exe [1236:2724] 00007ffc374125e0 Thread C:\Windows\system32\svchost.exe [1236:2436] 00007ffc43643bc0 Thread C:\Windows\system32\csrss.exe [4908:4068] ffffcae5f9196c20 Thread C:\Windows\system32\SettingSyncHost.exe [3800:5240] 00007ffc37ccdbe0 Thread C:\Windows\system32\SettingSyncHost.exe [3800:5248] 00007ffc37ccdbe0 Thread C:\Windows\system32\backgroundTaskHost.exe [3056:5912] 00007ffc3cfc48e0 Thread C:\Windows\system32\backgroundTaskHost.exe [3056:6308] 00007ffc1801c320 Thread C:\Windows\system32\backgroundTaskHost.exe [3056:6684] 00007ffc455e59c0 Thread C:\Windows\system32\backgroundTaskHost.exe [3056:6708] 00007ffc322acb90 Thread C:\Windows\system32\backgroundTaskHost.exe [3056:6720] 00007ffc455e70d0 Thread C:\Windows\system32\backgroundTaskHost.exe [3056:7108] 00007ffc458725a0 Thread C:\Windows\system32\backgroundTaskHost.exe [3056:7112] 00007ffc458725a0 Thread C:\Windows\system32\backgroundTaskHost.exe [3056:7124] 00007ffc3829e010 Thread C:\Windows\system32\backgroundTaskHost.exe [3056:7156] 00007ffc45312a50 ---- Processes - GMER 2.2 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0007ECE2-8365-46E6-810A-95FA751BD8B6}\mpengine.dll (*** suspicious ***) @ C:\Program Files\Windows Defender\MsMpEng.exe [1636] (Microsoft Malware Protection Engine/Microsoft Corporation SIGNED)(2017-05-08 07:32:03) 00007ffc35270000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1292900505 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS22669a0b-7032-4996-a652-4a93b041a183 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5831 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{15D2C6BA-9E93-43F3-AC48-0DBAF89BBDDC} v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|Desc=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|LUOwn=S-1-5-21-4209176039-989615511-254759449-1001|AppPkgId=S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157|EmbedCtxt=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|Platform=2:6:2|Platform2=GTEQ| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{CE97CF06-A902-46BF-94C6-5787C2401BF5} v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|Desc=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|LUOwn=S-1-5-21-4209176039-989615511-254759449-1001|AppPkgId=S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157|EmbedCtxt=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{CE5B5DF1-EC6C-4977-A6D1-E3DA06190D55} v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|Desc=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|LUOwn=S-1-5-21-4209176039-989615511-254759449-1001|AppPkgId=S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157|EmbedCtxt=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{53CB6BAD-99FD-4679-8EF7-37C00A9823CD} v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|Desc=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|LUOwn=S-1-5-21-4209176039-989615511-254759449-1001|AppPkgId=S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157|EmbedCtxt=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{C37CF91D-7EA2-4CAA-B98E-5A1F914CD277} v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|Desc=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4209176039-989615511-254759449-1001|AppPkgId=S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157|EmbedCtxt=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{48BC846D-237E-4D8A-A0CA-D128169BE373} v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|Desc=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-4209176039-989615511-254759449-1001|AppPkgId=S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157|EmbedCtxt=@{Microsoft.WindowsStore_11701.1001.99.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}| Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{95f4eebd-b6a2-409e-b0f3-5e560437e65e}@LeaseObtainedTime 1494247182 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{95f4eebd-b6a2-409e-b0f3-5e560437e65e}@T1 1494290382 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{95f4eebd-b6a2-409e-b0f3-5e560437e65e}@T2 1494322782 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{95f4eebd-b6a2-409e-b0f3-5e560437e65e}@LeaseTerminatesTime 1494333582 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x8D 0x2C 0xC1 0xF9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x8D 0x94 0x85 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x8D 0xC4 0xFC 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 13882 13888 13898 13908 13928 13972 13982 14020 14026 14042 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 14048 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 14049 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 13882 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 13883 ---- EOF - GMER 2.2 ----