GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-08 17:30:22 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 ST500LX012-SSHD-8GB rev.0001LVM1 465,76GB Running: 6qcdu7jw.exe; Driver: C:\Users\ORIANA~1\AppData\Local\Temp\ffndrfow.sys ---- Devices - GMER 2.2 ---- Device \Driver\USBAAPL64 \Device\00000068 fffff800447e11dc ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [664:708] ffffa32740336c20 Thread C:\WINDOWS\system32\svchost.exe [892:80] 00007ffb68d3f950 Thread C:\WINDOWS\system32\svchost.exe [892:76] 00007ffb68d3ed20 Thread C:\WINDOWS\system32\svchost.exe [892:384] 00007ffb68b58ae0 Thread C:\WINDOWS\system32\svchost.exe [584:3688] 00007ffb53c41a50 Thread C:\WINDOWS\system32\svchost.exe [584:4300] 00007ffb514939b0 Thread C:\WINDOWS\system32\svchost.exe [584:4700] 00007ffb4d8a1040 Thread C:\WINDOWS\system32\svchost.exe [584:8772] 00007ffb3900fe40 Thread C:\WINDOWS\system32\svchost.exe [584:7296] 00007ffb3900fe40 Thread C:\WINDOWS\system32\svchost.exe [584:552] 00007ffb3900fe40 Thread C:\WINDOWS\system32\svchost.exe [584:2464] 00007ffb39015ed0 Thread C:\WINDOWS\system32\svchost.exe [584:3044] 00007ffb3900fe40 Thread C:\WINDOWS\system32\svchost.exe [584:9540] 00007ffb39015ed0 Thread C:\WINDOWS\system32\svchost.exe [584:11048] 00007ffb635930f0 Thread C:\WINDOWS\system32\svchost.exe [1112:3316] 00007ffb5641af40 Thread C:\WINDOWS\system32\svchost.exe [1112:3468] 00007ffb5641ca00 Thread C:\WINDOWS\system32\svchost.exe [1112:4828] 00007ffb4d7e1240 Thread C:\WINDOWS\system32\svchost.exe [1112:4832] 00007ffb4cfca3b0 Thread C:\WINDOWS\system32\svchost.exe [1112:4864] 00007ffb4cf625e0 Thread C:\WINDOWS\system32\svchost.exe [1112:5520] 00007ffb46b43bc0 Thread C:\Windows\System32\WUDFHost.exe [1156:2272] 00007ffb5bca6e70 Thread C:\Windows\System32\WUDFHost.exe [1156:2280] 00007ffb63132cf0 Thread C:\Windows\System32\WUDFHost.exe [1156:2288] 00007ffb5bb0ed10 Thread C:\Windows\System32\WUDFHost.exe [1156:2296] 00007ffb5b983b60 Thread C:\WINDOWS\System32\svchost.exe [1596:9152] 00007ffb5b3ddbe0 Thread C:\WINDOWS\System32\svchost.exe [1596:9148] 00007ffb5b3ddbe0 Thread C:\WINDOWS\system32\svchost.exe [1768:1884] 00007ffb62a6e830 Thread C:\WINDOWS\system32\svchost.exe [1768:1892] 00007ffb629910a0 Thread C:\WINDOWS\system32\svchost.exe [1768:2100] 00007ffb63132cf0 Thread C:\WINDOWS\system32\svchost.exe [1768:2136] 00007ffb5f875bd0 Thread C:\WINDOWS\system32\svchost.exe [1768:2160] 00007ffb5f879b20 Thread C:\WINDOWS\system32\svchost.exe [1768:2168] 00007ffb63132cf0 Thread C:\WINDOWS\system32\WLANExt.exe [1652:2128] 00007ffb5e9b4094 Thread C:\WINDOWS\system32\WLANExt.exe [1652:2144] 00007ffb5ebab2b0 Thread C:\WINDOWS\system32\WLANExt.exe [1652:2156] 00007ffb5e9b4094 Thread C:\WINDOWS\system32\WLANExt.exe [1652:2216] 00007ffb63132cf0 Thread C:\WINDOWS\system32\WLANExt.exe [1652:4632] 00007ffb63132cf0 Thread C:\WINDOWS\system32\WLANExt.exe [1652:4932] 00007ffb5eb08ef0 Thread C:\WINDOWS\system32\WLANExt.exe [1652:4936] 00007ffb5cb646d0 Thread C:\WINDOWS\system32\WLANExt.exe [1652:4940] 00007ffb5cb646ec Thread C:\WINDOWS\system32\WLANExt.exe [1652:4944] 00007ffb5cb646b4 Thread C:\WINDOWS\system32\WLANExt.exe [1652:4948] 00007ffb63132cf0 Thread C:\WINDOWS\system32\conhost.exe [1924:2080] 00007ffb5f5da3e0 Thread C:\Windows\System32\WUDFHost.exe [2320:2356] 00007ffb5b7e2934 Thread C:\WINDOWS\system32\svchost.exe [2456:2636] 00007ffb5bb0ed10 Thread C:\WINDOWS\system32\svchost.exe [2456:2652] 00007ffb5b2d4180 Thread C:\WINDOWS\system32\svchost.exe [2456:3060] 00007ffb57b41f20 Thread C:\WINDOWS\system32\svchost.exe [2456:3064] 00007ffb5b2d4180 Thread C:\WINDOWS\system32\svchost.exe [2456:4088] 00007ffb5bad9ab0 Thread C:\WINDOWS\system32\svchost.exe [2456:4112] 00007ffb5bad9ab0 Thread C:\WINDOWS\system32\svchost.exe [2456:5612] 00007ffb4d265bc0 Thread C:\WINDOWS\system32\svchost.exe [2456:5616] 00007ffb4d277d70 Thread C:\WINDOWS\system32\svchost.exe [2456:5828] 00007ffb46c2b180 Thread C:\WINDOWS\system32\svchost.exe [2456:5856] 00007ffb46c2f5f0 Thread C:\WINDOWS\system32\wbem\wmiprvse.exe [4692:4796] 00007ffb4d836310 Thread C:\WINDOWS\system32\wbem\wmiprvse.exe [4692:4992] 00007ffb5e9b4094 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6404] 00007ffb6b8a5f10 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6408] 00007ffb6ac259c0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6412] 00007ffb60cd3a00 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6416] 00007ffb61b448e0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6428] 00007ffb6ac270d0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6432] 00007ffb68ec11a0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6440] 00007ffb6ac259c0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6444] 00007ffb60cd3a00 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6448] 00007ffb6b8a5f10 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6456] 00007ffb4616caf0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6724] 00007ffb6b8a5f10 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6728] 00007ffb6b8a5f10 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6832] 00007ffb5f74e010 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6944] 00007ffb60b928e0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6948] 00007ffb60b928e0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6952] 00007ffb60b928e0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6956] 00007ffb60b928e0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:7000] 00007ffb6ac259c0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:7008] 00007ffb60cd3a00 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:7080] 00007ffb42c29780 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:7084] 00007ffb5f74e010 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:592] 00007ffb6aeba200 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:6120] 00007ffb6ac259c0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:300] 00007ffb60cd3a00 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:7732] 00007ffb5f74e010 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:10100] 00007ffb4b788790 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:9028] 00007ffb42b9f720 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:10244] 00007ffb60c2bac0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:10248] 00007ffb60c2bac0 Thread C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [6372:10256] 00007ffb60c2bac0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6508] 00007ffb6b8a5f10 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6512] 00007ffb6ac259c0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6532] 00007ffb60cd3a00 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6536] 00007ffb61b448e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6548] 00007ffb6ac270d0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6580] 00007ffb68ec11a0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6588] 00007ffb5f74e010 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6592] 00007ffb6b8a5f10 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6600] 00007ffb6b76b310 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6608] 00007ffb3faad0e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6612] 00007ffb3fb2b290 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6616] 00007ffb3faea6a0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6780] 00007ffb54ab5f30 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6840] 00007ffb3fb2b290 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6848] 00007ffb6b76b310 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6856] 00007ffb6b76b310 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6876] 00007ffb3fb32d10 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6900] 00007ffb3fb2b290 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6904] 00007ffb61b42a60 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [6476:6992] 00007ffb6aa72a50 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xB8 0x92 0xB7 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x10 0xE7 0x61 0xDB ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xB8 0x92 0xB7 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x10 0xE7 0x61 0xDB ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 54 Reg HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\PregenKeys@ErrorCode 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN14B60_1E_07DE_43^6C5422228C609ED19A15AE057575A79F@Timestamp 0x5D 0x43 0xE7 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 800 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710543 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1532390908 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 54 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 496346993 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 5313 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 5310 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID b65e2e3c-2fd8-4dd7-a87c-5ad83c2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS3f8964be-ebdd-464b-bf96-eb2969142867 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\e09467bdf95b Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\e09467bdf95b@a434d95da899 0xE7 0x3A 0x17 0xFD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{b52fd324-9a3f-4dc6-8dcf-b199436efa45}@LastProbeTime 1486570152 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ??r.?, ?lut ?08 ?17, 04:10:14 PM??????????????????????6???????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 481 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 11284 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2654 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 53 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 3714 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6e762f62-0e92-4b02-97de-9ecf8429f52b}@LeaseObtainedTime 1486566552 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6e762f62-0e92-4b02-97de-9ecf8429f52b}@T1 1486609752 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6e762f62-0e92-4b02-97de-9ecf8429f52b}@T2 1486642152 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6e762f62-0e92-4b02-97de-9ecf8429f52b}@LeaseTerminatesTime 1486652952 Reg HKLM\SYSTEM\CurrentControlSet\Services\TPM@OsBootCount 73 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xAB 0xF4 0x57 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xAB 0x5C 0x1C 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xAB 0x8C 0x93 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\4@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\4@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\5@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\5@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\6@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\6@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\7@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\7@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x37 0xA2 0x5F 0x9A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\36791372@NotificationsCount 2 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Microsoft.Windows.ControlPanel?Baghair?{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting@CachedFeatureString Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{D210EF67-54DC-4221-B5E2-CDE32995BBAF} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{D210EF67-54DC-4221-B5E2-CDE32995BBAF}@LastAccessedTime 0x40 0x95 0x71 0x93 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{D210EF67-54DC-4221-B5E2-CDE32995BBAF}@AppId king.com.CandyCrushSaga_kgqvnymyfvs32!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{D210EF67-54DC-4221-B5E2-CDE32995BBAF}@LaunchCount 1 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----