GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-11-05 12:06:11 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\0000002e TOSHIBA_MK6475GSX rev.GT001M 596,17GB Running: pxbgo8n2.exe; Driver: C:\Users\JOLAWO~1\AppData\Local\Temp\aflcraow.sys ---- Kernel code sections - GMER 2.2 ---- .text ntoskrnl.exe!ExfUnblockPushLock + 1274 815804ED 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 602 81584C72 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.2 ---- .text C:\Program Files\CCleaner\CCleaner.exe[6372] USER32.dll!GetScrollInfo 756DC7F0 5 Bytes JMP 0045C1F3 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[6372] USER32.dll!SetScrollPos 756E57B0 5 Bytes JMP 0045C111 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[6372] USER32.dll!SetScrollRange 756E5800 5 Bytes JMP 0045C0D4 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[6372] USER32.dll!SetScrollInfo 756E5880 5 Bytes JMP 0045C14B C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[6372] USER32.dll!EnableScrollBar 756E61E0 5 Bytes JMP 0045C22A C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[6372] USER32.dll!GetScrollPos 756EAB50 5 Bytes JMP 0045C1BF C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[6372] USER32.dll!GetScrollRange 756EB300 5 Bytes JMP 0045C185 C:\Program Files\CCleaner\CCleaner.exe ---- Devices - GMER 2.2 ---- Device \Driver\BTHUSB \Device\00000043 bthport.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 iorate.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xB1 0x5A 0x48 0x34 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xA0 0xCF 0x08 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x61 0x82 0x4F 0x34 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xE1 0x59 0x12 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 8 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD02DC0_00_07DA_79^43DE932A75FD237B0BDE555D6E837849@Timestamp 0x13 0xCE 0x9B 0x34 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 696 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 1172806 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 98844272 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 8 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 519111131 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 5173 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 53d8f338-2486-40b8-a916-332ddb1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\9cb70d859ba9 Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{3b217895-3cf5-4194-b530-886876343ce0}@LastProbeTime 1509880629 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\90-94-e4-71-b2-28@AddressCreationTimestamp 0xBD 0x76 0x0F 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\90-94-e4-71-b2-28@NatDetectionTimestamp 0xBD 0x76 0x0F 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\90-94-e4-71-b2-28@TeredoAddress 2001:0:9d38:90d7:1873:d40d:4dd5:8ca7 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?niedz.?, ?lis ?05 ?17, 11:20:16??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 384 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1245 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 183 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 418 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{76ef9502-023c-4c86-8b9f-c8d81b8d91b9}@LeaseObtainedTime 1509877028 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{76ef9502-023c-4c86-8b9f-c8d81b8d91b9}@T1 1510006628 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{76ef9502-023c-4c86-8b9f-c8d81b8d91b9}@T2 1510103828 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{76ef9502-023c-4c86-8b9f-c8d81b8d91b9}@LeaseTerminatesTime 1510136228 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xFB 0x42 0x80 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xFB 0xAA 0x44 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xFB 0xDA 0xBB 0x92 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend@FailureCommand C:\WINDOWS\system32\mrt.exe /EHB /ServiceFailure "CAMP=4.11.15063.447;approximate-> Engine=1.1.14305.0;AVSIG=1.255.210.0;ASSIG=1.255.210.0" /StartService /Defender /q Reg HKLM\SYSTEM\CurrentControlSet\Services\winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 9972 9978 9990 10000 10010 10030 10074 10084 10122 10128 10144 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 10150 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 10151 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 9972 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 9973 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepositoryStatus@ServiceLastKnownStatus 101 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI@IdleTime 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdHigh 30627359 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdLow -282309114 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LaunchCount 0x09 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LastSuccessfulUploadTime 0xB6 0x9E 0x68 0xEB ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@DiagTrackStatus 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LastFreeNetworkLossTime 0x08 0x5B 0x7C 0xF4 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LastConnectivityHeartBeatTime 0x08 0x5B 0x7C 0xF4 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Aria@LastHeartBeatTime 0x02 0xE1 0x32 0x45 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Aria@HeartBeatSequenceNumber 35 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Aria@VortexHttpAttempts 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Aria@EventsUploaded 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Default@LastHeartBeatTime 0xCE 0x86 0x32 0x45 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Default@HeartBeatSequenceNumber 103 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Default@EventDroppedConsumer 0x2A 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Default@EventDroppedDecoding 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Default@VortexHttpAttempts 6 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Default@EventsUploaded 95 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\HeartBeats\Default@MaxInUseScenarios 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests@LastDownloadTime 0x2B 0x24 0xF5 0xB9 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\TELEMETRY.ASM-WINDOWSSQ@LastDownloadTime 0x3D 0xE4 0x47 0xA8 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\WINDOWS.DIAGNOSTICS@ETag 30:66A2A38658B0E4FD::2EF6EA63C6 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\WINDOWS.DIAGNOSTICS@LastDownloadTime 0x3D 0xE4 0x47 0xA8 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\Tenants\P-ARIA@LastRealtimeUploadTime 0x22 0xEA 0xC5 0x68 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\Tenants\P-ARIA@LastNormalUploadTime 0xE7 0xEE 0x2A 0xCD ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\TraceManager@aotSessionStartTime 0xF3 0x9B 0x23 0x45 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo 896265355 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30627359 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo 897021593 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30627359 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2853889053-1184334768-848088225-1004\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo 1072143785 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2853889053-1184334768-848088225-1004\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30627359 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2853889053-1184334768-848088225-1004\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo 1072299786 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-2853889053-1184334768-848088225-1004\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30627359 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109110000000000000000F01FEC\Usage@ProductFiles 1264387538 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\CleanupTask@RetryAttempt 4 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide@MaintenanceFlags 23 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Store\Configuration@OEMDiscoveryTTL 0x14 0x9E 0xF4 0x9A ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager@ServerChangeNumber 9 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Odkurzacz 14.0_is1@EstimatedSize 14290 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator@NextRefreshTime 0x00 0xC0 0xE0 0x3D ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\ActiveUpdateSessions\51b519d5-b6f5-4333-8df6-e74d7c9aead4 Reg HKLM\SOFTWARE\Microsoft\Windows\DWM@DwmInitSessionActivityId_00000001 2AD32A2F-561F-0002-512A-D32A1F56D301 Reg HKLM\SOFTWARE\Microsoft\Windows Defender\Scan@LastQuickScanID {A7121CFD-618E-4E56-81C2-6FEBDB299E00} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\ClientTelemetry@TelecommandLastPingTime 0x1D 0x74 0x06 0x10 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\ClientTelemetry@TelecommandLastSuccessTime 0x2F 0x74 0x06 0x10 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController@LastMaintenanceRun 0xBD 0xA4 0xAB 0x39 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Counter 10150 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Help 10151 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SRUM\Telemetry@ScreenOnLatestAnalyzedSessionTimestamp 0x5F 0xFF 0xC9 0xA4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@LastResPriGenTime 260498559 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LazyCheckPointUpdateInterval 86400 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{9D2999C5-6E6F-11E1-91CB-806E6F6E6963} 5502596464 Reg HKLM\SOFTWARE\Microsoft\Windows Security Health\Health Advisor\Update Monitor@LastAssessmentRun 0x4D 0x9E 0x18 0x83 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-57FE-9082E042CCFB}@00 0x00 0xB0 0xD0 0x0B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-EA86-CCCFF21429F3}@01 0x00 0xC0 0x27 0x92 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-EA86-CCCFF21429F3}@07 0x00 0x80 0xDB 0x81 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-EA86-CCCFF21429F3}@10 0x00 0xE0 0x99 0x0B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-EA86-CCCFF21429F3}@16 0x00 0x40 0x3A 0x60 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-EA86-CCCFF21429F3}@18 0x00 0x40 0x1B 0x02 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-EA86-CCCFF21429F3}@26 0x00 0xB0 0x60 0x01 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-EA86-CCCFF21429F3}@29 0x00 0x00 0x11 0x5C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\CachedSizes\{20202020-2020-2020-EA86-CCCFF21429F3}@00 0x00 0x40 0xDE 0x3E ... ---- EOF - GMER 2.2 ----