GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-18 23:35:06 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000020 ST1000LM024_HN-M101MBB rev.2AR10002 931,51GB Running: gmer.exe; Driver: C:\Users\KAROLC~1\AppData\Local\Temp\pxtyqpoc.sys ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [656:680] fffff960009312d0 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Dropbox\Client\DropboxExt64.3.0.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2344] 00007ffaa3e70000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration 131 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 955309669 Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events CreateSession Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\50b7c35fba97 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?N?, ?gru ?18 ?16, 10:45:45???????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 24 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HelpSticker\Tracking@CharmsMouse 2 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Extensions Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Extensions@xlsx C:\PROGRA~1\MICROS~1\Office16\EXCEL.EXE Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Extensions@xls C:\PROGRA~1\MICROS~1\Office16\EXCEL.EXE Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Extensions@rtf C:\PROGRA~1\MICROS~1\Office16\WINWORD.EXE ^.rtf Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Extensions@dot C:\PROGRA~1\MICROS~1\Office16\WINWORD.EXE ^.dot Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Extensions@dotm C:\PROGRA~1\MICROS~1\Office16\WINWORD.EXE ^.dotm Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Extensions@dotx C:\PROGRA~1\MICROS~1\Office16\WINWORD.EXE ^.dotx Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Extensions@docm C:\PROGRA~1\MICROS~1\Office16\WINWORD.EXE ^.docm Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Extensions@docx C:\PROGRA~1\MICROS~1\Office16\WINWORD.EXE ^.docx Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Extensions@doc C:\PROGRA~1\MICROS~1\Office16\WINWORD.EXE ^.doc Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0x6F 0x31 0xB9 0x5C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified 0x00 0x37 0x2F 0x06 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk?C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@1 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Daum\PotPlayer 64 bit\PotPlayer 64 bit.lnk?C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@3 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk?C:\Program Files\7-Zip\7zFM.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@4 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActivePresenter\ActivePresenter.lnk?E:\Zainstalowane\ActivePresenter\ActivePresenter.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@5 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET NOD32 Antivirus\ESET NOD32 Antivirus.lnk?C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@6 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET NOD32 Antivirus\ESET SysInspector.lnk?C:\Program Files\ESET\ESET NOD32 Antivirus\SysInspector.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@7 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET NOD32 Antivirus\ESET SysRescue.lnk?C:\Program Files\ESET\ESET NOD32 Antivirus\SysRescue.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@8 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Settings\AMD Settings.lnk?C:\Program Files\AMD\CNext\CNext\cnext.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@9 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Clementine\Clementine.lnk?E:\Zainstalowane\Clementine\clementine.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@11 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn.lnk?E:\Zainstalowane\ImgBurn\ImgBurn.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@12 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk?C:\Program Files\Microsoft Office\Office16\EXCEL.EXE?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@13 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk?C:\Program Files\Microsoft Office\Office16\POWERPNT.EXE?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@14 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk?C:\Program Files\Microsoft Office\Office16\WINWORD.EXE?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@15 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Narz?dzia pakietu Microsoft Office 2016\Dziennik telemetryczny dla pakietu Office 2016.lnk?C:\Program Files\Microsoft Office\Office16\msoev.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@16 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk?C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@17 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk?C:\Program Files\Microsoft Office\Office16\EXCEL.EXE?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@18 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn.lnk?E:\Zainstalowane\ImgBurn\ImgBurn.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@19 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk?C:\Program Files\Microsoft Office\Office16\POWERPNT.EXE?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@20 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk?C:\Program Files\Microsoft Office\Office16\WINWORD.EXE?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@21 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk?C:\Program Files\7-Zip\7zFM.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@22 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActivePresenter\ActivePresenter.lnk?E:\Zainstalowane\ActivePresenter\ActivePresenter.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@23 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Gaming Evolved\PlaysTV.lnk?C:\Program Files (x86)\Raptr Inc\PlaysTV\playstv_launcher.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@24 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Settings\AMD Settings.lnk?C:\Program Files\AMD\CNext\CNext\cnext.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@25 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Clementine\Clementine.lnk?E:\Zainstalowane\Clementine\clementine.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@26 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Daum\PotPlayer 64 bit\PotPlayer 64 bit.lnk?C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@27 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn\ImgBurn.lnk?E:\Zainstalowane\ImgBurn\ImgBurn.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@28 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Narz?dzia pakietu Microsoft Office 2016\Dziennik telemetryczny dla pakietu Office 2016.lnk?C:\Program Files\Microsoft Office\Office16\msoev.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@29 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Narz?dzia pakietu Microsoft Office 2016\Telemetryczny pulpit nawigacyjny dla pakietu Office 2016.lnk?C:\Program Files\Microsoft Office\Office16\msotd.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@30 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk?C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@31 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinCDEmu\WinCDEmu Settings.lnk?E:\Zainstalowane\WinCDEmu\vmnt64.exe?/settings? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@32 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk?C:\Program Files\Microsoft Office\Office16\POWERPNT.EXE?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@33 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET NOD32 Antivirus\ESET NOD32 Antivirus.lnk?C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@34 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET NOD32 Antivirus\ESET SysInspector.lnk?C:\Program Files\ESET\ESET NOD32 Antivirus\SysInspector.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@35 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET\ESET NOD32 Antivirus\ESET SysRescue.lnk?C:\Program Files\ESET\ESET NOD32 Antivirus\SysRescue.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@36 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk?C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe?? ---- EOF - GMER 2.2 ----