GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-20 13:55:30 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000028 ST1000DM003-1ER162 rev.CC45 931,51GB Running: c6zr5j63.exe; Driver: C:\Users\user\AppData\Local\Temp\pxldapow.sys ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [648:672] fffff960008c72d0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xCD 0x36 0x8C 0xE4 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xA4 0x16 0xEA 0x7C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xCD 0x36 0x8C 0xE4 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x85 0x02 0xF6 0x7C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 43 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\HTCAFC8T81105436_0B_07CE_1D^F5BA7FE4C1EC5139DC21F4EE89B01912@Timestamp 0xD7 0x3D 0x79 0x42 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1224046149 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 2c50df75-3ae5-49df-9d9f-3ce99b8 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{4840db3e-f63c-47aa-b35d-80b7eb6edfb2} Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{75ab6c59-1282-4300-8683-ba1e88d25981}@LastProbeTime 1440071120 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{8308484a-52ad-429a-bb99-bdc840d2ca1f}@LastProbeTime 1440071120 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{85173EF5-1425-4EF3-85EB-4738A033C0C5}@DefunctTimestamp 0xAD 0xA1 0xD5 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Tag 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ImagePath \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@DisplayName MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances@DefaultInstance MBAMSwissArmy Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Cz?, ?sie ?20 ?15, 11:47:45??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5779 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1393 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 45 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{66980A73-94AA-47DE-8EFF-C57CA8A8F07C}@LeaseObtainedTime 1440063918 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{66980A73-94AA-47DE-8EFF-C57CA8A8F07C}@T1 1455831918 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{66980A73-94AA-47DE-8EFF-C57CA8A8F07C}@T2 1467657918 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{66980A73-94AA-47DE-8EFF-C57CA8A8F07C}@LeaseTerminatesTime 1471599918 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D5595FDD-0588-4376-B040-7BBB9EB9591A}@LeaseObtainedTime 1440063910 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D5595FDD-0588-4376-B040-7BBB9EB9591A}@T1 1440193510 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D5595FDD-0588-4376-B040-7BBB9EB9591A}@T2 1440290710 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D5595FDD-0588-4376-B040-7BBB9EB9591A}@LeaseTerminatesTime 1440323110 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 95 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xDE 0x27 0xE2 0xF4 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xDE 0x27 0xE2 0xF4 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 13606 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xDE 0x27 0xE2 0xF4 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 51485 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xDE 0x27 0xE2 0xF4 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63575663667290%3bID%3dE661B65959BE5C1B!107%3bLR%3d63575660163757%3bEP%3d4%3bTD%3dTrue%3bSO%3d0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0xA1 0xD9 0x55 0xCB ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 9 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_c6zr5j63.exe_e74c9ba065d6a558caf7162112d19953a46dd_ee393d7a_12f4f713 ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb0000B.log 0 bytes ---- EOF - GMER 2.1 ----