GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-05 10:47:12 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000032 PLEXTOR_PX-128M6S rev.1.03 119,24GB Running: uuwsmmcr.exe; Driver: C:\Users\Damian\AppData\Local\Temp\afliyfob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [684:944] ffff87d8035a6c20 Thread C:\WINDOWS\system32\SearchIndexer.exe [5996:5176] 00007ffd7542dbe0 Thread C:\WINDOWS\system32\SearchIndexer.exe [5996:5056] 00007ffd7542dbe0 Thread C:\WINDOWS\system32\SearchIndexer.exe [5996:5220] 00007ffd7542dbe0 Thread C:\WINDOWS\system32\SearchIndexer.exe [5996:1248] 00007ffd621ad5d0 Thread C:\WINDOWS\system32\SearchIndexer.exe [5996:5428] 00007ffd61ee9a00 Thread C:\WINDOWS\system32\SearchIndexer.exe [5996:5208] 00007ffd61ee7d90 Thread C:\WINDOWS\system32\SearchIndexer.exe [5996:5204] 00007ffd61ee5e30 Thread C:\WINDOWS\system32\SearchIndexer.exe [5996:6304] 00007ffd61ef0fa0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ????????????????? ????????????????????????????.??????????????????????????????????????n??? ??????????????????????????????????????????? ?????????????????????????????????????????????????R?=??????? ???????????????????????????????????????t??????????? ???????????????????? ??????????????????8??? ???????????????????? ??????????????????l??????????????????????????$UserProfile$\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\*.fsf?$UserProfile$\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\*.fsd?$UserProfile$\Local Settings\Application Data\Office\15.0\OfficeFileCache\*.fsd?$UserProfile$\Local Settings\Application Data\Office\15.0\OfficeFileCache\*.fsf?$UserProfile$\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\LocalCacheFileEditManager\*.fsf?$UserProfile$\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\LocalCacheFileEditManager\*.fsd?$UserProfile$\Local Settings\Application Data\Office\15.0\OfficeFileCache\LocalCacheFileEditManager\*.fsd?$UserProfile$\Local Settings\Application Data\Office\15.0\Off Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x7D 0xD4 0x23 0xED ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x46 0x64 0x4C 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x7D 0xD4 0x23 0xED ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x46 0x64 0x4C 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 20 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN17350_32_07DC_E0^32E5A83C84F67081B9C9AD9E235CC62C@Timestamp 0x19 0x91 0xFF 0xED ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 752 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710531 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 484392893 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 21 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 493453629 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 3141 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 2739 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 8e615042-a7be-4f05-90af-9798182 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WcesLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS6dd12190-3558-441b-80f6-9c3d4e78f212 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\18cf5e7cd8b4 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{85b7684d-7726-4477-8510-b61581c9a9d8}@LastProbeTime 1483607334 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{D2468483-192C-494B-A860-C5330F03397F}@InterfaceName Reusable ISATAP Interface {D2468483-192C-494B-A860-C5330F03397F} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{D2468483-192C-494B-A860-C5330F03397F}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\SDScannerService@ServiceWebPortFileScannerActive 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SDScannerService@ServiceWebPortFirewallActive 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SDUpdateService@ServiceWebPortActive 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3254 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 448 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 19 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5df9b0b9-9267-41fa-b4d1-ac0087307bc1}@LeaseObtainedTime 1483603730 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5df9b0b9-9267-41fa-b4d1-ac0087307bc1}@T1 1483646930 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5df9b0b9-9267-41fa-b4d1-ac0087307bc1}@T2 1483679330 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5df9b0b9-9267-41fa-b4d1-ac0087307bc1}@LeaseTerminatesTime 1483690130 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{5df9b0b9-9267-41fa-b4d1-ac0087307bc1}@Dhcpv6State 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x4C 0xE8 0x37 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x4C 0x50 0xFC 0xBA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x4C 0x80 0x73 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 17060 17066 17078 17088 17098 17118 17162 17172 17210 17216 17232 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 17238 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 17239 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 17060 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 17061 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}\iexplore@Count 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE7CD045-E861-484F-8273-0445EE161910}\iexplore@Count 37 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 100 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications@MobileBroadbandLastResetDate 0x6C 0xAB 0x2E 0xF7 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome?windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome 0x19 0x36 0x9D 0x83 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel 0xE3 0x5E 0x96 0xEC ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0264547F-2DC3-4F01-91B5-E447761637F6}@LastAccessedTime 0xD0 0xB8 0xE6 0x80 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0264547F-2DC3-4F01-91B5-E447761637F6}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{03D288DC-1F39-477E-8142-BCD54DCE954D}@LastAccessedTime 0x90 0x85 0x77 0x7C ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{03D288DC-1F39-477E-8142-BCD54DCE954D}@LaunchCount 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{2E2374AD-7E0B-4751-9031-781C26160D8F}@LastAccessedTime 0xC0 0x72 0x40 0x17 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{2E2374AD-7E0B-4751-9031-781C26160D8F}@LaunchCount 4 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8C563519-5C45-43B9-A2E6-0FBF3D40060B} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8C563519-5C45-43B9-A2E6-0FBF3D40060B}@LastAccessedTime 0xA0 0x39 0xE0 0x93 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8C563519-5C45-43B9-A2E6-0FBF3D40060B}@AppId Microsoft.AutoGenerated.{288EFCA7-B2A1-F316-F854-DABE6196E559} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8C563519-5C45-43B9-A2E6-0FBF3D40060B}@LaunchCount 7 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A333A436-A17E-4D8B-82B2-DA7F52B91FCE}@LastAccessedTime 0x20 0x36 0x3D 0x32 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A333A436-A17E-4D8B-82B2-DA7F52B91FCE}@LaunchCount 4 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x57 0xB7 0xA0 0xEA ... ---- EOF - GMER 2.2 ----