GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-18 16:56:57 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e ST1000LM014-SSHD-8GB rev.LVD3 931,51GB Running: z8o6yfvg.exe; Driver: C:\Users\Maciek\AppData\Local\Temp\pfldypob.sys ---- Files - GMER 2.2 ---- File C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB4014329_RTM~31bf3856ad364e35~amd64~~10.0.1.0.cat 8842 bytes File C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB4014329~31bf3856ad364e35~amd64~~10.0.1.0.cat 8842 bytes File C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB4014329~31bf3856ad364e35~amd64~~10.0.1.0.cat 13336 bytes ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xFF 0xED 0x9E 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xE9 0x3A 0xCA 0x49 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xFF 0xED 0x9E 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xE9 0x3A 0xCA 0x49 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 269 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD033A0_00_07DB_82^0C347888ABDF2AA846DFF8D24673327F@Timestamp 0x30 0xBD 0x70 0xAD ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 820 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?P?:?I???T??????????????v2.26|Action=Block|Active=TRUE|Dir=Out|Name=Microsoft Sticky Notes|Desc=Microsoft Sticky Notes|LUOwn=S-1-5-21-981693999-549935002-3115232519-1001|AppPkgId=S-1-15-2-3539788797-2700867667-1432428195-1581642-2885308443-3834444517-2495346167|EmbedCtxt=Microsoft Sticky Notes|?dC???&???????f???????????????????f???G?I?I?I?I?T?????????X???&???*???T???i?????????????????????Dir??v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|RPort=2177|RA42=Ply2Renders|RA62=Ply2Renders|App=%SystemRoot%\system32\svchost.exe|Svc=Qwave|Name=@FirewallAPI.dll,-36016|Desc=@FirewallAPI.dll,-36017|EmbedCtxt=@FirewallAPI.dll,-36001|?tor??v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=2177|RA42=Ply2Renders|RA62=Ply2Renders|App=%SystemRoot%\system32\svchost.exe|Svc=Qwave|Name=@FirewallAPI.dll,-36014|Desc=@FirewallAPI.dll,-36015|EmbedCtxt=@FirewallAPI.dll,-36001|???v2.26|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Private|Profile=Public|RPort Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -378426489 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID b925f0fa-f373-499d-83cd-6416308 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{55d34fc5-1417-48ab-a257-dedb0bf38079} Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00c2c62ca708 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00c2c62ca708@a0e9db0217c2 0x8B 0xE5 0x8F 0xB9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{98313494-3962-48e0-9dcf-669aadc95aec}@LastProbeTime 1489842666 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{721DC57B-C695-4901-8692-5AF6845A821F}@InterfaceName Reusable ISATAP Interface {721DC57B-C695-4901-8692-5AF6845A821F} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{721DC57B-C695-4901-8692-5AF6845A821F}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\30-b5-c2-e3-04-8c@AddressCreationTimestamp 0xDE 0xB5 0xDD 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 104 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?sob.?, ?mar ?18 ?17, 01:17:47 PM?????????????????????A???????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 6769 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2174 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 268 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79acb0ca-acfd-457a-8820-99b736dc984e}@LeaseObtainedTime 1489839066 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79acb0ca-acfd-457a-8820-99b736dc984e}@T1 1489842666 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79acb0ca-acfd-457a-8820-99b736dc984e}@T2 1489845366 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{79acb0ca-acfd-457a-8820-99b736dc984e}@LeaseTerminatesTime 1489846266 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x6D 0xB8 0x88 0x7D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x6D 0x20 0x4D 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x6D 0x50 0xC4 0x1B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 69878 69884 69896 69906 69916 69936 69980 69990 70028 70034 70050 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 70056 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 70057 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 69878 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 69879 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [680:764] ffffa0197aba6c20 Thread C:\WINDOWS\system32\svchost.exe [924:492] 00007ffc3686f950 Thread C:\WINDOWS\system32\svchost.exe [924:480] 00007ffc3686ed20 Thread C:\WINDOWS\system32\svchost.exe [924:468] 00007ffc36728ae0 Thread C:\WINDOWS\System32\svchost.exe [576:2888] 00007ffc2989fdf0 Thread C:\WINDOWS\System32\svchost.exe [576:2896] 00007ffc298a2af0 Thread C:\WINDOWS\System32\svchost.exe [576:2900] 00007ffc298a2a40 Thread C:\WINDOWS\System32\svchost.exe [576:3076] 00007ffc29895c80 Thread C:\WINDOWS\System32\svchost.exe [576:5736] 00007ffc297a51d0 Thread C:\WINDOWS\System32\svchost.exe [576:5740] 00007ffc297a72d0 Thread C:\WINDOWS\system32\svchost.exe [500:2148] 00007ffc29881670 Thread C:\WINDOWS\system32\svchost.exe [500:6864] 00007ffc35daac90 Thread C:\WINDOWS\system32\svchost.exe [500:6872] 00007ffc35da3590 Thread C:\WINDOWS\system32\dwm.exe [1028:1236] 00007ffc35e91270 Thread C:\WINDOWS\system32\dwm.exe [1028:1244] 00007ffc35b267a0 Thread C:\WINDOWS\system32\dwm.exe [1028:1260] 00007ffc35cf4780 Thread C:\WINDOWS\system32\dwm.exe [1028:1380] 00007ffc35b26820 Thread C:\WINDOWS\system32\dwm.exe [1028:1396] 00007ffc35a92040 Thread C:\WINDOWS\system32\dwm.exe [1028:1400] 00007ffc35a920f0 Thread C:\WINDOWS\system32\dwm.exe [1028:1404] 00007ffc35a92190 Thread C:\WINDOWS\system32\dwm.exe [1028:1456] 00007ffc32e4ea60 Thread C:\WINDOWS\system32\svchost.exe [1120:1756] 00007ffc2e3c1040 Thread C:\WINDOWS\system32\svchost.exe [1120:1760] 00007ffc2e4748e0 Thread C:\WINDOWS\system32\svchost.exe [1120:1764] 00007ffc2e4748e0 Thread C:\WINDOWS\system32\svchost.exe [1120:1772] 00007ffc2e3a1930 Thread C:\WINDOWS\system32\svchost.exe [1120:3260] 00007ffc281039b0 Thread C:\WINDOWS\system32\svchost.exe [1120:3264] 00007ffc280c1a50 Thread C:\WINDOWS\system32\svchost.exe [1120:3088] 00007ffc2ea12cf0 Thread C:\WINDOWS\system32\svchost.exe [1120:5760] 00007ffc1d23f2b0 Thread C:\WINDOWS\system32\svchost.exe [1120:5960] 00007ffc1d21fe40 Thread C:\WINDOWS\system32\svchost.exe [1120:5956] 00007ffc1d21fe40 Thread C:\WINDOWS\system32\svchost.exe [1120:5968] 00007ffc1d21fe40 Thread C:\WINDOWS\system32\svchost.exe [1120:5952] 00007ffc1d225ed0 Thread C:\WINDOWS\system32\svchost.exe [1120:5948] 00007ffc1d21fe40 Thread C:\WINDOWS\system32\svchost.exe [1120:2468] 00007ffc1d225ed0 Thread C:\WINDOWS\system32\svchost.exe [1292:3396] 00007ffc27f83bc0 Thread C:\WINDOWS\system32\svchost.exe [1292:3560] 00007ffc27f21240 Thread C:\WINDOWS\system32\svchost.exe [1292:3564] 00007ffc26bfa3b0 Thread C:\WINDOWS\system32\svchost.exe [1292:3568] 00007ffc26bd25e0 Thread C:\WINDOWS\system32\svchost.exe [1292:6496] 00007ffc27f82080 Thread [1836:1856] 00000000753e7ea0 Thread C:\WINDOWS\system32\svchost.exe [1928:1964] 00007ffc2d53e830 Thread C:\WINDOWS\system32\svchost.exe [1928:2000] 00007ffc2d4c10a0 Thread C:\WINDOWS\system32\svchost.exe [1928:1240] 00007ffc2ea12cf0 Thread C:\WINDOWS\system32\svchost.exe [1928:2100] 00007ffc2ba35bd0 Thread C:\WINDOWS\system32\svchost.exe [1928:2112] 00007ffc2ba39b20 Thread C:\WINDOWS\system32\svchost.exe [1928:2120] 00007ffc2ea12cf0 Thread C:\WINDOWS\system32\svchost.exe [2020:1556] 00007ffc2cc344b0 Thread C:\WINDOWS\system32\svchost.exe [2020:2080] 00007ffc37236750 Thread C:\WINDOWS\System32\spoolsv.exe [1480:5804] 00007ffc29015bc0 Thread C:\WINDOWS\System32\spoolsv.exe [1480:5820] 00007ffc28ff2740 Thread C:\WINDOWS\System32\spoolsv.exe [1480:2276] 00007ffc228a1180 Thread C:\WINDOWS\System32\spoolsv.exe [1480:3448] 00007ffc228c8e40 Thread C:\WINDOWS\system32\svchost.exe [2664:3212] 00007ffc29015bc0 Thread C:\WINDOWS\system32\svchost.exe [2664:3216] 00007ffc28ff2740 Thread C:\Windows\System32\RuntimeBroker.exe [2756:4424] 00007ffc29251ba0 Thread C:\Windows\System32\RuntimeBroker.exe [2756:6560] 00007ffc382fa200 Thread C:\Program Files\Windows Defender\MsMpEng.exe [2864:4508] 00007ffc23b41070 Thread C:\Program Files\Windows Defender\MsMpEng.exe [2864:4512] 00007ffc23b41070 Thread C:\Windows\System32\rundll32.exe [5516:5544] 00000000681db368 Thread C:\Windows\System32\rundll32.exe [5516:5552] 00000000681ce1ac ---- EOF - GMER 2.2 ----