GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-24 22:25:23 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\0000003c SAMSUNG_HD103SJ rev.1AJ10001 931,51GB Running: GMER.exe; Driver: C:\Users\Flymar\AppData\Local\Temp\pgldypow.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [736:3764] fffff589d6f36c20 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\drivers\mbae64.sys (*** hidden *** ) [SYSTEM] ESProtectionDriver <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\MBAMChameleon.sys (*** hidden *** ) [AUTO] MBAMChameleon <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\farflt.sys (*** hidden *** ) [MANUAL] MBAMFarflt <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\mbam.sys (*** hidden *** ) [MANUAL] MBAMProtection <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\mwac.sys (*** hidden *** ) [MANUAL] MBAMWebProtection <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1281102134 Reg HKLM\SYSTEM\CurrentControlSet\Services\ESProtectionDriver Reg HKLM\SYSTEM\CurrentControlSet\Services\ESProtectionDriver@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ESProtectionDriver@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ESProtectionDriver@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ESProtectionDriver@ImagePath \??\C:\WINDOWS\system32\drivers\mbae64.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\ESProtectionDriver@DisplayName Malwarebytes Anti-Exploit Reg HKLM\SYSTEM\CurrentControlSet\Services\ESProtectionDriver Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@Tag 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@ImagePath \SystemRoot\system32\drivers\MBAMChameleon.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@DisplayName MBAMChameleon Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@Protected C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@RefCount 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@ProtectedPaths \Device\HarddiskVolume4\WINDOWS\System32\DRIVERS\mbamchameleon.sys?\Device\HarddiskVolume4\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\?\Device\HarddiskVolume4\PROGRAMDATA\MALWAREBYTES\?\Device\HarddiskVolume4\WINDOWS\system32\config\systemprofile\AppData\Roaming\MALWAREBYTES\?\Device\HarddiskVolume4\WINDOWS\SYSTEM32\DRIVERS\MBAM.SYS?\Device\HarddiskVolume4\WINDOWS\SYSTEM32\DRIVERS\MBAMSWISSARMY.SYS?\Device\HarddiskVolume4\WINDOWS\SYSTEM32\DRIVERS\FARFLT.SYS?\Device\HarddiskVolume4\WINDOWS\SYSTEM32\DRIVERS\MBAE.SYS?\Device\HarddiskVolume4\WINDOWS\SYSTEM32\DRIVERS\MBAE64.SYS?\Device\HarddiskVolume4\WINDOWS\SYSTEM32\DRIVERS\MWAC.SYS?\Device\HarddiskVolume4\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\? Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@ProtectedRegistry \REGISTRY\MACHINE\SYSTEM\CONTROLSET*\SERVICES\MBAMCHAMELEON\*?\Registry\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MBAMChameleon\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\?\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\?\RE Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@Verified 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon\Instances@DefaultInstance MBAMChameleon Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon\Instances\MBAMChameleon Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon\Instances\MBAMChameleon Instance@Altitude 400900 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon\Instances\MBAMChameleon Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt@ImagePath \??\C:\WINDOWS\system32\drivers\farflt.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt@Group FSFilter Content Screener Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt\Instances@DefaultInstance MBAMFarflt Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt\Instances\MBAMFarflt Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt\Instances\MBAMFarflt Instance@Altitude 268150 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt\Instances\MBAMFarflt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMFarflt Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection@ImagePath \??\C:\WINDOWS\system32\drivers\mbam.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection\Instances@DefaultInstance MBAMProtection Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection\Instances\MBAMProtection Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection\Instances\MBAMProtection Instance@Altitude 328800 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection\Instances\MBAMProtection Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtection Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebProtection Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebProtection@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebProtection@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebProtection@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebProtection@ImagePath \??\C:\WINDOWS\system32\drivers\mwac.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebProtection@DependOnService BFE? Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebProtection Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6fe7e804-41f6-474f-a633-137a8401386a}@LeaseObtainedTime 1485286698 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6fe7e804-41f6-474f-a633-137a8401386a}@T1 1485288498 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6fe7e804-41f6-474f-a633-137a8401386a}@T2 1485289398 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6fe7e804-41f6-474f-a633-137a8401386a}@LeaseTerminatesTime 1485315498 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xC9 0x52 0xBA 0x30 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xC9 0xBA 0x7E 0x92 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xC9 0xEA 0xF5 0xCE ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent@StartColorMenu -11730791 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent@AccentColorMenu -9095500 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\18f0ad94@NotificationsCount 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\3cdadc52@NotificationsCount 2 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\edf54a11@NotificationsCount 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome 0x59 0xB8 0xD9 0x60 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{087B1DD0-6D19-4453-86D7-9B58E0B6DAF2}@LastAccessedTime 0xF0 0x44 0xD3 0x4F ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{087B1DD0-6D19-4453-86D7-9B58E0B6DAF2}@LaunchCount 26 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0FF77408-5088-4230-8B36-5A1E8BE904B9} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0FF77408-5088-4230-8B36-5A1E8BE904B9}@LastAccessedTime 0x20 0x6C 0x1E 0x44 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0FF77408-5088-4230-8B36-5A1E8BE904B9}@AppId D:\Program Files\totalcmd\TOTALCMD.EXE Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0FF77408-5088-4230-8B36-5A1E8BE904B9}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}@LastAccessedTime 0x90 0xE6 0xED 0x94 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}@LaunchCount 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{C1F83D13-CB67-4587-99BC-EB48953A6D5A} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{C1F83D13-CB67-4587-99BC-EB48953A6D5A}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{C1F83D13-CB67-4587-99BC-EB48953A6D5A}@Path C:\Users\Flymar\Desktop\Nowy Dokument tekstowy.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{C1F83D13-CB67-4587-99BC-EB48953A6D5A}@DisplayName Nowy Dokument tekstowy.txt Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{C1F83D13-CB67-4587-99BC-EB48953A6D5A}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{C1F83D13-CB67-4587-99BC-EB48953A6D5A}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{CDFD345B-E9F6-4D03-BD30-F2141FE4575F} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{CDFD345B-E9F6-4D03-BD30-F2141FE4575F}@Type 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{CDFD345B-E9F6-4D03-BD30-F2141FE4575F}@Path C:\Users\Flymar\Documents\my games\XCOM2\XComGame\Logs\XCom-FLY-CL234736-2017.01.14-23.12.53-Crash\XCom-CL234736-2017.01.14-23.13.26_Logfile.log Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{CDFD345B-E9F6-4D03-BD30-F2141FE4575F}@DisplayName XCom-CL234736-2017.01.14-23.13.26_Logfile.log Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{CDFD345B-E9F6-4D03-BD30-F2141FE4575F}@LastAccessedTime 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{788F9119-EF71-4C7B-934E-77071B73C2E0}\RecentItems\{CDFD345B-E9F6-4D03-BD30-F2141FE4575F}@Points 0x00 0x00 0x00 0x00 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EA0090D7-54F2-4A4A-900F-726D7F8B49F1}@LastAccessedTime 0x30 0xE1 0x0E 0xEB ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EA0090D7-54F2-4A4A-900F-726D7F8B49F1}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x54 0x00 0x92 0x75 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UnreadMail\flymar@wp.pl@MessageCount 0 Reg HKCU\SOFTWARE\Microsoft\Windows\DWM@ColorizationColor -994822539 Reg HKCU\SOFTWARE\Microsoft\Windows\DWM@ColorizationAfterglow -994822539 Reg HKCU\SOFTWARE\Microsoft\Windows\DWM@AccentColor -9095500 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting@LastWatsonCabUploaded 0xA9 0x76 0xAC 0xCE ... Reg HKCU\SOFTWARE\Microsoft\Windows Live Mail@Compact Check Count 55 Reg HKCU\SOFTWARE\Microsoft\Windows Live Mail@Last Search Index 1 Reg HKCU\SOFTWARE\Microsoft\Windows Live Mail@SearchFolderLaunchesUntilRebuild 2 Reg HKCU\SOFTWARE\Microsoft\Windows Live Mail@AppRuns 488 Reg HKCU\SOFTWARE\Microsoft\Windows Live Mail@SqmSrvSuccessCount POP3 1123134 Reg HKCU\SOFTWARE\Microsoft\Windows Live Mail@TotalUpTime 33911 Reg HKCU\SOFTWARE\Microsoft\Windows Live Mail\Rules\Filter\FFA@Version 491 Reg HKCU\SOFTWARE\Microsoft\Windows Live Mail\Rules\Filter\FFB@Version 491 Reg HKCU\SOFTWARE\Microsoft\Windows Live Mail\Rules\Filter\FFC@Version 491 Reg HKCU\SOFTWARE\Microsoft\Windows Live Mail\Rules\Filter\FFF@Version 491 ---- EOF - GMER 2.2 ----