GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-13 10:02:04 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-00KUWA0 rev.15.01H15 931,51GB Running: k3hee5ew.exe; Driver: C:\Users\WACICI~1\AppData\Local\Temp\fxliqpow.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [688:748] ffffd65219936c20 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\System32\qmgr.dll (*** hidden *** ) [AUTO] BITS <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x42 0xA5 0xAB 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x73 0x33 0x18 0xE8 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x42 0xA5 0xAB 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xBB 0x95 0x1A 0xE8 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 30 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\ACR0335LY7EE0178510_14_07DD_14^3FD4FADD3308012E044AF5E051F58A8A@Timestamp 0xEF 0xCB 0x09 0xCC ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 832 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1040120018 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID fc14d386-2c97-472a-bb4d-ee64b4d Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS78e2f355-029b-4fef-89fd-12634a66cc1f Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{6b5435e3-157b-4da0-9ee4-61e5db5219a5}@LastProbeTime 1489393017 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-1d-aa-32-f5-70@AddressCreationTimestamp 0xF1 0xD8 0xD6 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-1d-aa-32-f5-70@NatDetectionTimestamp 0x6F 0xCE 0xD6 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-1d-aa-32-f5-70@TeredoAddress 2001:0:9d38:90d7:3c08:6669:b046:8de5 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?pon.?, ?mar ?13 ?17, 08:39:34????????????????????????$???????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 449 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4618 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 928 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 29 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3aa64bec-a678-47c5-82b4-0c50b3d15e43}@LeaseObtainedTime 1489389445 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3aa64bec-a678-47c5-82b4-0c50b3d15e43}@T1 1489519045 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3aa64bec-a678-47c5-82b4-0c50b3d15e43}@T2 1489616245 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3aa64bec-a678-47c5-82b4-0c50b3d15e43}@LeaseTerminatesTime 1489648645 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{3aa64bec-a678-47c5-82b4-0c50b3d15e43}@Dhcpv6State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x18 0x71 0x65 0x88 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x18 0xD9 0x29 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x18 0x09 0xA1 0x26 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\3198fabe Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\3198fabe@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\3198fabe@Url wpnidm:http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAof4fP.img?w=204&h=100&m=6&tilesize=wide&ms-scale=100&ms-contrast=standard Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\3198fabe@FileName C:\Users\W?a?ciciel\AppData\Local\Microsoft\Windows\Notifications\wpnidm\3198fabe.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9d5c85fe Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9d5c85fe@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9d5c85fe@Url wpnidm:http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAoeWQr.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9d5c85fe@FileName C:\Users\W?a?ciciel\AppData\Local\Microsoft\Windows\Notifications\wpnidm\9d5c85fe.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\aed152f0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\aed152f0@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\aed152f0@Url wpnidm:https://pbs.twimg.com/amplify_video_thumb/841182291498016770/img/De_mgVXAn4J5kSAU.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\aed152f0@FileName C:\Users\W?a?ciciel\AppData\Local\Microsoft\Windows\Notifications\wpnidm\aed152f0.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Microsoft.Windows.ControlPanel? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Microsoft.Windows.ControlPanel 0xE9 0xFA 0xD5 0x5F ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{1F43EA0E-3288-4877-A0ED-40BF55641317}@LastAccessedTime 0x90 0x89 0xCE 0x3A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{1F43EA0E-3288-4877-A0ED-40BF55641317}@LaunchCount 17 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{77E4BA8A-A3B8-4413-937F-F347021C14A6} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{77E4BA8A-A3B8-4413-937F-F347021C14A6}@LastAccessedTime 0x90 0x2B 0xAB 0x0D ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{77E4BA8A-A3B8-4413-937F-F347021C14A6}@AppId Microsoft.DXP.AttachedDevice.{1C852A4D-B800-1F08-ABCD-288023CD4AE7} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{77E4BA8A-A3B8-4413-937F-F347021C14A6}@LaunchCount 1 ---- Files - GMER 2.2 ---- File C:\Windows\SoftwareDistribution\DataStore\Logs\edb00139.log 1310720 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edb0013A.log 1310720 bytes File C:\Windows\SoftwareDistribution\DeliveryOptimization\4714905954b236642607b03b93583721586cff54 0 bytes File C:\Windows\SoftwareDistribution\DeliveryOptimization\4714905954b236642607b03b93583721586cff54\4714905954b236642607b03b93583721586cff54.pieceshash 3866 bytes File C:\Windows\SoftwareDistribution\Download\b237d004404cd6ac49fd0dccfc3dc8a4 0 bytes File C:\Windows\SoftwareDistribution\Download\b237d004404cd6ac49fd0dccfc3dc8a4\onenote-x-none.cab 81981058 bytes File C:\Windows\SoftwareDistribution\Download\e58a0d234de907a7a35e6c3070913057 0 bytes File C:\Windows\SoftwareDistribution\Download\e58a0d234de907a7a35e6c3070913057\lync-x-none.cab 106832072 bytes ---- EOF - GMER 2.2 ----