GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-08 22:10:25 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TS128GSSD370S rev.O1225G 119,24GB Running: pp64875q.exe; Driver: C:\Users\Kacper\AppData\Local\Temp\afldifog.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\SYSTEM32\NTASN1.dll [412] entry point in ".rdata" section 000000006fddbb10 ? C:\Windows\SYSTEM32\iertutil.dll [5336] entry point in ".rdata" section 000000007133d7a0 ? C:\Windows\SYSTEM32\NTASN1.dll [5336] entry point in ".rdata" section 000000006fddbb10 ? C:\Windows\system32\apphelp.dll [752] entry point in ".rdata" section 00000000727f0380 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [560:644] fffff96048d14030 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE9 0xEE 0xE9 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x5A 0x79 0xBD 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xE9 0xEE 0xE9 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x5A 0x79 0xBD 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 21 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\GSM5A34407NDTC5R425_07_07DE_0C^67BDC680FEE8837D92E126A7A8385334@Timestamp 0xB3 0xEE 0x66 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 668 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\Kacper\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\Kacper\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\Kacper\AppData\Local\Temp\nsoD1D3.tmp\??\??\C:\Users\Kacper\AppData\Local\Temp\nsoD1D3.tmp\Lang\ENU.dll??\??\C:\Users\Kacper\AppData\Local\Temp\nsoD1D3.tmp\Lang\PLK.dll?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -154742741 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 3c46fe55-fae3-4377-af6f-f88a658 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{472cc789-1e1b-46fb-8e80-cd00b3d8bd88} Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{54123f3d-7fa8-4652-a838-aa67dc2422ab}@LastProbeTime 1473370811 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Tag 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ImagePath \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@DisplayName MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances@DefaultInstance MBAMSwissArmy Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2d5d0\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2d5d0\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2d5d0\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2d5d0\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2d5d0\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2d5d0\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2d5d0\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2d5d0\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_2d5d0\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_2d5d0\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_2d5d0\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_2d5d0\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_2d5d0\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2050 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 558 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 20 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{768ece06-f276-4591-8198-588ebc5e95e2}@LeaseObtainedTime 1473363611 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{768ece06-f276-4591-8198-588ebc5e95e2}@T1 1473367211 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{768ece06-f276-4591-8198-588ebc5e95e2}@T2 1473369911 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{768ece06-f276-4591-8198-588ebc5e95e2}@LeaseTerminatesTime 1473370811 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_2d5d0\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_2d5d0\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_2d5d0\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_2d5d0\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xAD 0xF3 0x4A 0x89 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xAD 0x5B 0x0F 0xEB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xAD 0x8B 0x86 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xDF 0xCF 0x04 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x07 0xC8 0x2B 0x60 ... ---- EOF - GMER 2.2 ----