GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-06 22:13:24 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002a ST500LT012-1DG142 rev.0002LVM1 465,76GB Running: lc4653c3.exe; Driver: C:\Users\Lenovo\AppData\Local\Temp\pxlcapog.sys ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[4032] @ C:\Windows\Explorer.EXE[UxTheme.dll!DrawThemeBackground] [e530060] IAT C:\Windows\Explorer.EXE[4032] @ C:\Windows\Explorer.EXE[UxTheme.dll!DrawThemeText] [e530080] IAT C:\Windows\Explorer.EXE[4032] @ C:\Windows\Explorer.EXE[UxTheme.dll!DrawThemeTextEx] [e5300a0] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff86875002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7ff86875006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ff86875006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ff86816002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ff86875006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [7ff86816002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ff86875006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ff86816002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ff86875006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\ole32.dll[GDI32.dll!GetStockObject] [7ff86875006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\system32\ole32.dll[USER32.dll!RegisterClassW] [7ff86816002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff86875006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff86816002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4300] @ C:\Windows\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff800c2404c] C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.143\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [920:944] fffff960009c22d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xC6 0x62 0x7D 0x1F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x7F 0x27 0x82 0x1F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xDD 0xF9 0x01 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xCF 0xD2 0xFA 0xFA ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 13 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO103C0_00_07DC_39^4BC853113685128507F1313088EFBD66@Timestamp 0x38 0x55 0xA6 0x20 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 1012 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{21DA7D3E-B4BB-4161-B408-8D9E1F736EAE}\Connection@Name Reusable ISATAP Interface {21DA7D3E-B4BB-4161-B408-8D9E1F736EAE} Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3899993 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -588955792 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 15 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 485811664 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 4333 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 3871 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID dd30f5aa-3bda-4e07-b82a-b0794ed Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 5 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Avg\AV@RSPrefetchUsed 11219 Reg HKLM\SYSTEM\CurrentControlSet\Services\AVGIDSHA\backup_avg\AV@RSPrefetchUsed 18969 Reg HKLM\SYSTEM\CurrentControlSet\Services\AVGIDSHA\Parameters@Reboot 13 Reg HKLM\SYSTEM\CurrentControlSet\Services\Avgloga\backup_avg\AV@RSPrefetchUsed 18969 Reg HKLM\SYSTEM\CurrentControlSet\Services\Avgmfx64\backup_avg\AV@RSPrefetchUsed 18969 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c8bfdef7cdd Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c8bfdef7cdd@00242cde3a21 0x1D 0x24 0xAF 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a19f8328-8d6c-4b56-995e-784cb6473b16}@LastProbeTime 1475785592 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{21DA7D3E-B4BB-4161-B408-8D9E1F736EAE}@InterfaceName Reusable ISATAP Interface {21DA7D3E-B4BB-4161-B408-8D9E1F736EAE} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{21DA7D3E-B4BB-4161-B408-8D9E1F736EAE}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\f0-82-61-b3-8b-5a@ClientLocalPort 57868 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\f0-82-61-b3-8b-5a@AddressCreationTimestamp 0x5D 0x28 0x07 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\f0-82-61-b3-8b-5a@TeredoAddress 2001:0:9d38:90d7:8be:1df3:acfa:d02c Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\f0-82-61-b3-8b-5a@UPnPExternalPort 57868 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Cz?, ?pa? ?06 ?16, 08:29:19??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3234 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 500 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-200|Desc=@%systemroot%\system32\provsvc.dll,-201|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|RPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-203|Desc=@%systemroot%\system32\provsvc.dll,-204|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|LPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-205|Desc=@%systemroot%\system32\provsvc.dll,-206|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 14 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BEBF18FA-C52C-498A-9AB9-44F70330C0C7}@LeaseObtainedTime 1475778384 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BEBF18FA-C52C-498A-9AB9-44F70330C0C7}@T1 1475821584 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BEBF18FA-C52C-498A-9AB9-44F70330C0C7}@T2 1475853984 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BEBF18FA-C52C-498A-9AB9-44F70330C0C7}@LeaseTerminatesTime 1475864784 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 38 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\iexplore@Count 88 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{553891B7-A0D5-4526-BE18-D3CE461D6310}\iexplore@Count 88 ---- EOF - GMER 2.2 ----