GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-13 00:01:35 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d TOSHIBA_MQ01ABF050 rev.AM0P1A 465,76GB Running: gmer.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pxldqpow.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [5544:1896] ffffafe507296c20 Thread C:\WINDOWS\Explorer.EXE [952:6100] 00007ffabc3f20e0 Thread C:\WINDOWS\Explorer.EXE [952:6700] 00007ffabc3f20e0 Thread C:\WINDOWS\Explorer.EXE [952:6268] 00007ffabbef20e0 Thread C:\WINDOWS\Explorer.EXE [952:6692] 00007ffabbef20e0 Thread C:\WINDOWS\Explorer.EXE [952:2260] 00007ffabbef20e0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ??????????????X??????$??????????Us?uga u?ytkownika powiadomie? WNS_21748e13?????? ???????d???????????d?X??????????????????????????????????????p?|??????\????????????????????????????????????????????????????????MS????4?????? ???????$???????????????????????????????d????????????????Z??????w?????nco??@%SystemRoot%\system32\WpnUserService.dll,-2????v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.WindowsStore_11609.1001.24.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|Desc=@{Microsoft.WindowsStore_11609.1001.24.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|LUOwn=S-1-5-21-1698314851-326736941-3311299484-1000|AppPkgId=S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157|EmbedCtxt=@{Microsoft.WindowsStore_11609.1001.24.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsStore/Resources/StoreTitle}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE|??D}??v2.26|AppPkgId=S-1-15-2-160 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -2043704580 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\b0-c2-87-e0-1a-30@ClientLocalPort 52023 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\b0-c2-87-e0-1a-30@AddressCreationTimestamp 0x11 0x72 0x0E 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\b0-c2-87-e0-1a-30@NatDetectionTimestamp 0x41 0x6E 0x0E 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\b0-c2-87-e0-1a-30@TeredoAddress 2001:0:5ef5:79fb:30b0:34c8:b1f4:4758 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 320 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x03 0x71 0xFA 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x03 0xD9 0xBE 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x03 0x09 0x36 0x91 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\c38fbcf2@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds E7CF176E110C211B?{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe?windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x8F 0xE2 0x70 0x4F ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe 0xAE 0xF5 0x22 0x88 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel 0x83 0x3B 0x5D 0x50 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0B64EED6-07C1-4476-93B9-D1E0C164B057}@LastAccessedTime 0x90 0xC0 0x63 0x25 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0B64EED6-07C1-4476-93B9-D1E0C164B057}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{152290C6-BCF2-4B00-A9CD-ECB93AF578A2}@LastAccessedTime 0xE0 0xD5 0x22 0x88 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{152290C6-BCF2-4B00-A9CD-ECB93AF578A2}@LaunchCount 9 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{481EC240-4E6F-4791-94E4-6415CC5DCFE8}@LastAccessedTime 0x60 0x41 0x0F 0x50 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{481EC240-4E6F-4791-94E4-6415CC5DCFE8}@LaunchCount 6 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-F48F-3EC478DC946A}@01 0x00 0x90 0x44 0x6E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-F48F-3EC478DC946A}@10 0x00 0x20 0xA3 0x64 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-F48F-3EC478DC946A}@16 0x00 0x40 0xDE 0xC2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-F48F-3EC478DC946A}@18 0x00 0xE0 0x43 0x6A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-F48F-3EC478DC946A}@22 0x00 0xB0 0x09 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-F48F-3EC478DC946A}@29 0x00 0x10 0xF3 0x0C ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-F48F-3EC478DC946A}@00 0x00 0xA0 0x3A 0x7C ... ---- EOF - GMER 2.2 ----