GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-13 19:58:51 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003c HGST_HTS545050A7E680 rev.GG2OAF10 465,76GB Running: erjcymmy.exe; Driver: C:\Users\MATEUS~1\AppData\Local\Temp\kwliypog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600022da00 15 bytes {ADD BL, CH; JMP 0x5} .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff9600022da10 11 bytes [00, D6, FB, FF, 40, AA, BF, ...] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [564:572] fffff960009c82d0 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3476:2200] 000000007740b5b0 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3476:1804] 000000006496c60c Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3476:2680] 000000006496c60c Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3476:3816] 000000006496c60c Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3476:3416] 000000006496c60c Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3476:2544] 000000006496c60c Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3476:3152] 000000006496c60c Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3476:4076] 0000000077574930 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3476:3588] 0000000077574930 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [3476:3948] 0000000077574930 Thread C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe [136:7156] 00007ffa0c2e41d0 Thread C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe [136:5800] 00007ffa0a27da70 Thread C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe [136:7076] 00007ff9f8a371a0 Thread C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe [136:2796] 00007ffa0a27da70 Thread C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe [136:3884] 00007ff9f8a371a0 Thread C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe [136:4440] 00007ffa0092bf10 Thread C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe [136:6964] 00007ffa01f54540 Thread C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe [136:5828] 00007ffa09fd5a70 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE8 0x6C 0xB6 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xB4 0x9F 0x77 0xC3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xD6 0xF6 0xBF 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xAD 0x12 0xFB 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 137 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO36ED0_00_07DD_97^E198EA461D4DB4633DD1383360A349ED@Timestamp 0x77 0x77 0x83 0x0C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 672 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes@ActivePowerScheme 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\MATEUS~1\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\MATEUS~1\AppData\Local\Temp\~nsu.tmp??\??\D:\DaemonToolsLite\imgengine.dll??\??\C:\Users\MATEUS~1\AppData\Local\Temp\nsb8862.tmp\??\??\C:\Users\MATEUS~1\AppData\Local\Temp\nsb8862.tmp\Lang\ENU.dll??\??\C:\Users\MATEUS~1\AppData\Local\Temp\nsb8862.tmp\Lang\PLK.dll?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900143 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -2020433875 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 161 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 506893471 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 2436 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 2362 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 374c12eb-3a87-49ed-956d-1395c8c Reg HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\USB\VID_13D3&PID_3414\00E04C000001@CSConfigFlags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\40e230695ca6 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\40e230695ca6@001a6b8a425a 0xBE 0x26 0x28 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\40e230695ca6@2008ed9bcb61 0x30 0xB3 0x5C 0x09 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 33850 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 28680 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 155 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4A2C0924-2947-4EF6-AB7C-8668BF877A80}@LeaseObtainedTime 1497367505 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4A2C0924-2947-4EF6-AB7C-8668BF877A80}@T1 1497368405 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4A2C0924-2947-4EF6-AB7C-8668BF877A80}@T2 1497369080 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4A2C0924-2947-4EF6-AB7C-8668BF877A80}@LeaseTerminatesTime 1497369305 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4A2C0924-2947-4EF6-AB7C-8668BF877A80}@DhcpConnForceBroadcastFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A3F19873-16CE-486A-ADF8-17B7673264E7}@LeaseObtainedTime 1497367189 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A3F19873-16CE-486A-ADF8-17B7673264E7}@T1 1497368989 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A3F19873-16CE-486A-ADF8-17B7673264E7}@T2 1497370339 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A3F19873-16CE-486A-ADF8-17B7673264E7}@LeaseTerminatesTime 1497370789 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D921A3C6-14C6-4BB8-830C-FCA86B81C524}@LeaseObtainedTime 1497368193 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D921A3C6-14C6-4BB8-830C-FCA86B81C524}@T1 1497369093 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D921A3C6-14C6-4BB8-830C-FCA86B81C524}@T2 1497369768 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D921A3C6-14C6-4BB8-830C-FCA86B81C524}@LeaseTerminatesTime 1497369993 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D921A3C6-14C6-4BB8-830C-FCA86B81C524}@DhcpConnForceBroadcastFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 248 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CFER\OpenWithList@MRUList ba Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.php\OpenWithList@MRUList gcfbeda Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}\iexplore@Count 28 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 61220 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 99 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x46 0x56 0xD5 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x46 0x56 0xD5 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x46 0x56 0xD5 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 61254 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 97 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x46 0x56 0xD5 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x42 0x71 0x8C 0x6A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63632964800180%3bID%3d48B313CFE8156EB5!108%3bLR%3d63632964797197%3bEP%3d15%3bSI%3d0%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xB0 0x0D 0xD0 0xE3 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 19 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_NvStreamNetworkS_e168c0ed6de318d451f5e65cdb80fc9286b6982a_8b80cdda_0109035f ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----