GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-16 22:01:17 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 ST1000LM014-SSHD-8GB rev.LVD3 931,51GB Running: 3llwu2fj.exe; Driver: C:\Users\MARCIN\AppData\Local\Temp\pxryipob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [684:744] ffffdf5b90936c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1419129408 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a0a8cd1bc370 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a0a8cd1bc370@b474435e4552 0x04 0xE2 0x0C 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\11@Timestamp 0x28 0x7F 0xEF 0xB1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?wt.?, ?lut ?14 ?17, 11:30:26?????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8301 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{F459E179-B24B-45F5-8905-F9D3E288B4F3} v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}|Desc=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}|LUOwn=S-1-5-21-1888970853-945745684-2655438926-1001|AppPkgId=S-1-15-2-1930852602-715273891-2259524165-1460409268-4224052142-2029744616-1797406285|EmbedCtxt=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}|Platform=2:6:2|Platform2=GTEQ| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{969623AE-C930-4B7C-81A6-5DE6CAA4A474} v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}|Desc=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}|LUOwn=S-1-5-21-1888970853-945745684-2655438926-1001|AppPkgId=S-1-15-2-1930852602-715273891-2259524165-1460409268-4224052142-2029744616-1797406285|EmbedCtxt=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{73EF93C4-5F1A-4FC9-B6BF-481D385AF117} v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}|Desc=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}|LUOwn=S-1-5-21-1888970853-945745684-2655438926-1001|AppPkgId=S-1-15-2-1930852602-715273891-2259524165-1460409268-4224052142-2029744616-1797406285|EmbedCtxt=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{414E53BD-63E4-4FA9-B8B5-9CC9990F00E4} v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}|Desc=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1888970853-945745684-2655438926-1001|AppPkgId=S-1-15-2-1930852602-715273891-2259524165-1460409268-4224052142-2029744616-1797406285|EmbedCtxt=@{Microsoft.Getstarted_4.4.11.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Getstarted/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{903A8F43-4B88-469B-B7B7-24293206E2B9} v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.WindowsSoundRecorder_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsSoundRecorder/Resources/AppStoreName}|Desc=@{Microsoft.WindowsSoundRecorder_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsSoundRecorder/Resources/AppStoreName}|LUOwn=S-1-5-21-1888970853-945745684-2655438926-1001|AppPkgId=S-1-15-2-2679466428-2257802901-1755839644-3032159574-3452485508-990264208-3332697187|EmbedCtxt=@{Microsoft.WindowsSoundRecorder_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsSoundRecorder/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{7FD3B5C5-0DA0-417B-ABC3-FF2C3BD235CB} v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.WindowsSoundRecorder_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsSoundRecorder/Resources/AppStoreName}|Desc=@{Microsoft.WindowsSoundRecorder_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsSoundRecorder/Resources/AppStoreName}|LUOwn=S-1-5-21-1888970853-945745684-2655438926-1001|AppPkgId=S-1-15-2-2679466428-2257802901-1755839644-3032159574-3452485508-990264208-3332697187|EmbedCtxt=@{Microsoft.WindowsSoundRecorder_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsSoundRecorder/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{B805E5F5-73D7-4146-9704-21482E0C5006} v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.WindowsCalculator_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsCalculator/Resources/AppStoreName}|Desc=@{Microsoft.WindowsCalculator_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsCalculator/Resources/AppStoreName}|LUOwn=S-1-5-21-1888970853-945745684-2655438926-1001|AppPkgId=S-1-15-2-466767348-3739614953-2700836392-1801644223-4227750657-1087833535-2488631167|EmbedCtxt=@{Microsoft.WindowsCalculator_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsCalculator/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{BE2A99DC-317C-4E13-A58F-E843C00C0522} v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.WindowsCalculator_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsCalculator/Resources/AppStoreName}|Desc=@{Microsoft.WindowsCalculator_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsCalculator/Resources/AppStoreName}|LUOwn=S-1-5-21-1888970853-945745684-2655438926-1001|AppPkgId=S-1-15-2-466767348-3739614953-2700836392-1801644223-4227750657-1087833535-2488631167|EmbedCtxt=@{Microsoft.WindowsCalculator_10.1701.10102.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsCalculator/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{106fc5df-7dd2-41ca-9bac-ba6a41bc5fa0}@LeaseObtainedTime 1487275266 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{106fc5df-7dd2-41ca-9bac-ba6a41bc5fa0}@T1 1487318466 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{106fc5df-7dd2-41ca-9bac-ba6a41bc5fa0}@T2 1487350866 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{106fc5df-7dd2-41ca-9bac-ba6a41bc5fa0}@LeaseTerminatesTime 1487361666 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{106FC5DF-7DD2-41CA-9BAC-BA6A41BC5FA0}@Dhcpv6State 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xF7 0x9A 0xD6 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xF7 0x02 0x9B 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xF7 0x32 0x12 0x3F ... Reg HKLM\SYSTEM\Maps@LastMapUpdateCheck 0x03 0xFE 0x9E 0x74 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceSetup@AppInstallNotificationChangeStamp 257 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceSetup@AppUninstallNotificationChangeStamp 183 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 111 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x97 0xA0 0x3E 0xE0 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0xEF 0xD7 0x77 0xCD ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC@0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Start Google Earth in DirectX mode.lnk?C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe? -setDX? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC@1 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Start Google Earth in OpenGL mode.lnk?C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe? -setOGL? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC@2 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Start Google Earth.lnk?C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe?? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC@3 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Uninstall Google Earth.lnk?C:\Windows\System32\msiexec.exe?/x {F6430171-B86B-4639-839E-374913E7911D}? ---- EOF - GMER 2.2 ----