GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-15 16:22:22 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000033 WDC_WD10EZEX-08M2NA0 rev.01.01A01 931,51GB Running: zz081ut2.exe; Driver: C:\Users\gtx\AppData\Local\Temp\pgriqpow.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x05 0x2C 0xA7 0xF3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xB5 0xF2 0x3E 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 41 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\GSM5A26124805_02_07DE_48^2B04B5A5FCF53EE9FF772809AEB93812@Timestamp 0xCF 0xFF 0x97 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 872 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Windows\TEMP\BC7B.tmp??\??\C:\Windows\TEMP\4E99.tmp??\??\C:\Windows\TEMP\DEL4F84.tmp??\??\C:\Windows\TEMP\DEL5215.tmp??\??\C:\Windows\TEMP\DEL52E0.tmp??\??\C:\Users\gtx\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\gtx\AppData\Local\Temp\~nsu.tmp?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -384462294 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID d611dcf8-d3af-4e89-876c-74978c8 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{1c8b9d39-ee32-4e21-bca2-a158342a2c1b} Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{95e99db4-e6a6-4fe5-9c33-c0fdcea9ac5a}@LastProbeTime 1463315106 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6e32b\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6e32b\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6e32b\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6e32b\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6e32b\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6e32b\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6e32b\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6e32b\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6e32b\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6e32b\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6e32b\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6e32b\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6e32b\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?niedz.?, ?maj ?15 ?16, 12:27:03??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5257 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1296 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 40 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{65f071ec-5fbb-42c2-aad6-1c638cf3c3c8}@LeaseObtainedTime 1463312976 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{65f071ec-5fbb-42c2-aad6-1c638cf3c3c8}@T1 1463314555 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{65f071ec-5fbb-42c2-aad6-1c638cf3c3c8}@T2 1463315905 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{65f071ec-5fbb-42c2-aad6-1c638cf3c3c8}@LeaseTerminatesTime 1463316576 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6e32b\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6e32b\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6e32b\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6e32b\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x12 0x5E 0xDF 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x12 0xC6 0xA3 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x12 0xF6 0x1A 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x6D 0x7B 0x58 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 2780 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 198 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x8E 0x25 0xCD 0x66 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x8E 0x25 0xCD 0x66 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x8E 0x25 0xCD 0x66 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 2780 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 195 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x8E 0x25 0xCD 0x66 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63598908286847%3bID%3dA50DC79CB78FDDDC!198%3bLR%3d63598848894800%3bEP%3d5%3bSI%3d0%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x31 0x63 0x6A 0x63 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications@MobileBroadbandLastResetDate 0x9E 0x3A 0x24 0x60 ... ---- EOF - GMER 2.2 ----