GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-01 01:09:54 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002a ST1000DM003-9YN162 rev.CC4C 931,51GB Running: bqy4nde4.exe; Driver: C:\Users\Varak\Temp\uwlcypoc.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [980:996] ffff841b6cda6c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1016404552 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14734821600002280@SetupOperations ???=?????=?=?=??????????????????????????????????????????????????????????????? ????????>?>????????????????????????????????????????????????4???????????????? ????????>?>????????????????????????????????????????????????4???????????????? ????????????=????? Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3cc40a6d-0dbf-4648-acd5-4bf7087d9724}@LeaseObtainedTime 1477955740 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3cc40a6d-0dbf-4648-acd5-4bf7087d9724}@T1 1477955770 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3cc40a6d-0dbf-4648-acd5-4bf7087d9724}@T2 1477955792 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3cc40a6d-0dbf-4648-acd5-4bf7087d9724}@LeaseTerminatesTime 1477955800 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA8 0xE1 0x1E 0x19 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA8 0x49 0xE3 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA8 0x79 0x5A 0xB7 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{6c5bb64b-7e87-11e6-9c31-bc5ff45911f3} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{6c5bb64b-7e87-11e6-9c31-bc5ff45911f3}@Drive Type 1048593 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{6c5bb64b-7e87-11e6-9c31-bc5ff45911f3}@IsImapiDataBurnSupported 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{6c5bb64b-7e87-11e6-9c31-bc5ff45911f3}@Active 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\OpenWithProgids@DAEMON.Tools.Lite Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\UserChoice Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\UserChoice@Hash zPyUQxBo+Is= Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iso\UserChoice@ProgId DAEMON.Tools.Lite Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mds\OpenWithProgids@DAEMON.Tools.Lite Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mds\UserChoice Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mds\UserChoice@Hash Qckur6DPPEM= Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mds\UserChoice@ProgId DAEMON.Tools.Lite Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Varak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GOG.com\WiedŸmin 3\xae - Dziki Gon\Usuñ WiedŸmin 3\xae - Dziki Gon.lnk 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com\WiedŸmin 3\xae - Dziki Gon\Usuñ WiedŸmin 3\xae - Dziki Gon.lnk 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications@TimestampWhenSeen 0x4E 0x89 0x0C 0xA3 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@DAEMON Tools Lite Automount "D:\DAEMON Tools Lite\DTAgent.exe" -autorun Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds E7CF176E110C211B? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting@CachedFeatureString Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x66 0x2E 0x83 0xEC ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{3BA9AA4E-21D1-4473-AE31-E0735577C7EA} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{3BA9AA4E-21D1-4473-AE31-E0735577C7EA}@LastAccessedTime 0xF0 0x7A 0xC2 0xAB ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{3BA9AA4E-21D1-4473-AE31-E0735577C7EA}@AppId steam://rungameid/348540 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{3BA9AA4E-21D1-4473-AE31-E0735577C7EA}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{64DC4876-CD6D-4699-8C32-EBCDEE351CFD}@LastAccessedTime 0x60 0x5F 0x98 0x22 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{64DC4876-CD6D-4699-8C32-EBCDEE351CFD}@LaunchCount 10 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DF66B5D7-288E-4F07-9254-5EEE2B77F6FB} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DF66B5D7-288E-4F07-9254-5EEE2B77F6FB}@LastAccessedTime 0xF0 0xF7 0x81 0x80 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DF66B5D7-288E-4F07-9254-5EEE2B77F6FB}@AppId D:\Kies\KiesAgent.exe Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DF66B5D7-288E-4F07-9254-5EEE2B77F6FB}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0xCD 0x8D 0x4C 0x35 ... ---- EOF - GMER 2.2 ----