GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-29 18:31:03 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-08M2NA0 rev.01.01A01 931,51GB Running: hkynh2jm.exe; Driver: C:\Users\a\AppData\Local\Temp\axloauod.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [688:744] ffffc09e68536c20 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Common Files\Nero\NeroShellExt\x64\NeroShellExt.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [4240] 00007fff56e80000 Library C:\Program Files (x86)\Common Files\Nero\NeroShellExt\x64\SolutionExplorer.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [4240] 00007fff645b0000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration 72 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\a\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\a\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\a\AppData\Local\Temp\nsy6B3F.tmp\??\??\C:\Users\a\AppData\Local\Temp\nsy6B3F.tmp\Lang\ENU.dll??\??\C:\Users\a\AppData\Local\Temp\nsy6B3F.tmp\Lang\PLK.dll?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1642195492 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS084c4e1e-571b-421a-aedf-dcd41b5f17c2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?wt.?, ?lis ?29 ?16, 04:57:39?????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2024 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 451 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x79 0x9C 0x96 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x79 0x04 0x5B 0x68 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x79 0x34 0xD2 0xA4 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 24 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications@TimestampWhenSeen 0xE7 0x09 0x7C 0x64 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome?{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe?windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel?Microsoft.Windows.ControlPanel? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting@CachedFeatureString Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome 0xDD 0x1F 0x3C 0x8E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe 0x62 0x38 0x74 0xF9 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel 0xC6 0x1A 0xDC 0x0E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Microsoft.Windows.ControlPanel 0x08 0x44 0xBB 0x68 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{6C886811-5B3E-40DF-AD3F-7E7B887F2EBC} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{6C886811-5B3E-40DF-AD3F-7E7B887F2EBC}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{6C886811-5B3E-40DF-AD3F-7E7B887F2EBC}@Path C:\Users\a\Desktop\aletration conjuration or illusion.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{6C886811-5B3E-40DF-AD3F-7E7B887F2EBC}@DisplayName aletration conjuration or illusion.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{6C886811-5B3E-40DF-AD3F-7E7B887F2EBC}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{6C886811-5B3E-40DF-AD3F-7E7B887F2EBC}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{B25C0F0A-C689-4F30-AE93-DA9E1C2BEB0C} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{B25C0F0A-C689-4F30-AE93-DA9E1C2BEB0C}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{B25C0F0A-C689-4F30-AE93-DA9E1C2BEB0C}@Path C:\Users\a\Desktop\Nowy folder\Nowy folder\server.properties Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{B25C0F0A-C689-4F30-AE93-DA9E1C2BEB0C}@DisplayName server.properties Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{B25C0F0A-C689-4F30-AE93-DA9E1C2BEB0C}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{B25C0F0A-C689-4F30-AE93-DA9E1C2BEB0C}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{BBB1EA86-6165-4DA5-8915-8178DA09CAFB} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{BBB1EA86-6165-4DA5-8915-8178DA09CAFB}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{BBB1EA86-6165-4DA5-8915-8178DA09CAFB}@Path C:\Users\a\Desktop\a.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{BBB1EA86-6165-4DA5-8915-8178DA09CAFB}@DisplayName a.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{BBB1EA86-6165-4DA5-8915-8178DA09CAFB}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F3FC9B69-40A4-4B49-9AD1-EC05841B623B}\RecentItems\{BBB1EA86-6165-4DA5-8915-8178DA09CAFB}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppHang_notepad.exe_8758d9263f97c572233bcaffb611ec61acd9c8c_5a07e43d_1bcf4a67 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@FirstLevelConsentDialog 0xB6 0x04 0x06 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0xB6 0x04 0x06 0x00 ... ---- EOF - GMER 2.2 ----