API tools faq
paste
Guest User

Untitled

a guest
May 17th, 2016
91
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.66 KB | None | 0 0
raw download clone embed print report
  1. GMER 2.2.19882 - http://www.gmer.net
  2. Rootkit scan 2016-05-17 17:07:51
  3. Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 KINGSTON_SV300S37A60G rev.505ABBF0 55,90GB
  4. Running: 1krc8tni.exe; Driver: C:\Users\zoube\AppData\Local\Temp\ugadyfow.sys
  5.  
  6.  
  7. ---- User code sections - GMER 2.2 ----
  8.  
  9. ? C:\Windows\SYSTEM32\iertutil.dll [5228] entry point in ".rdata" section 0000000070eacb70
  10. ? C:\Windows\SYSTEM32\NTASN1.dll [5228] entry point in ".rdata" section 000000006ee1bb10
  11. ? C:\Windows\SYSTEM32\ActXPrxy.dll [5228] entry point in ".rdata" section 000000006fd1bd10
  12. ? C:\Windows\system32\wbem\wbemsvc.dll [5296] entry point in ".rdata" section 0000000065cd8fa0
  13. ? C:\Windows\SYSTEM32\ActXPrxy.dll [5296] entry point in ".rdata" section 000000006fd1bd10
  14. ? C:\Windows\SYSTEM32\iertutil.dll [5420] entry point in ".rdata" section 0000000070eacb70
  15. ? C:\Windows\SYSTEM32\NTASN1.dll [5420] entry point in ".rdata" section 000000006ee1bb10
  16. ? C:\Windows\system32\apphelp.dll [5896] entry point in ".rdata" section 0000000071240380
  17. ? C:\Windows\SYSTEM32\iertutil.dll [5896] entry point in ".rdata" section 0000000070eacb70
  18. ? C:\Windows\SYSTEM32\ActXPrxy.dll [5896] entry point in ".rdata" section 000000006fd1bd10
  19. ? C:\Windows\system32\mssprxy.dll [5896] entry point in ".rdata" section 000000005e7ba4e0
  20. ? C:\Windows\SYSTEM32\fdproxy.dll [5896] entry point in ".rdata" section 000000005e7a5640
  21. ? C:\Windows\system32\apphelp.dll [5916] entry point in ".rdata" section 0000000071240380
  22. ? C:\Windows\system32\apphelp.dll [6020] entry point in ".rdata" section 0000000071240380
  23. ? C:\Windows\SYSTEM32\iertutil.dll [6020] entry point in ".rdata" section 0000000070eacb70
  24. ? C:\Windows\system32\apphelp.dll [6092] entry point in ".rdata" section 0000000071240380
  25. ? C:\Windows\SYSTEM32\iertutil.dll [6092] entry point in ".rdata" section 0000000070eacb70
  26. ? C:\Windows\system32\apphelp.dll [6108] entry point in ".rdata" section 0000000071240380
  27. ? C:\Windows\SYSTEM32\iertutil.dll [6108] entry point in ".rdata" section 0000000070eacb70
  28. ? C:\Windows\system32\apphelp.dll [6124] entry point in ".rdata" section 0000000071240380
  29. ? C:\Windows\SYSTEM32\iertutil.dll [6124] entry point in ".rdata" section 0000000070eacb70
  30. ? C:\Windows\system32\apphelp.dll [6796] entry point in ".rdata" section 0000000071240380
  31.  
  32. ---- Threads - GMER 2.2 ----
  33.  
  34. Thread C:\Windows\system32\csrss.exe [612:664] fffff9606a774060
  35. Thread C:\Windows\system32\SettingSyncHost.exe [2552:5076] 00007ff9c75cc040
  36. Thread C:\Windows\system32\SettingSyncHost.exe [2552:5440] 00007ff9d58b64d0
  37.  
  38. ---- Registry - GMER 2.2 ----
  39.  
  40. Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x78 0xEF 0x24 0xA1 ...
  41. Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x8C 0x49 0x78 0xC3 ...
  42. Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x8F 0x3D 0x25 0xA1 ...
  43. Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x46 0x97 0x78 0xC3 ...
  44. Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@cs-CZ 37
  45. Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\GSM567E12286_07_07D8_31^604FB161C249BB4B82423B87B305F493@Timestamp 0x15 0xD7 0x63 0xC5 ...
  46. Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 744
  47. Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\zoube\AppData\Local\Temp\zoek.com??\??\C:\$Recycle.Bin?!\??\C:\zoek\in\RECYCLE.BIN?\??\C:\Windows\Temp?!\??\C:\zoek\in\WINDOWSTEMP?\??\C:\zoek\out\WINDOWSTEMP?!\??\C:\Windows\Temp?\??\C:\Users\zoube\AppData\Local\Temp?!\??\C:\zoek\in\USERTEMP?\??\C:\zoek\out\USERTEMP?!\??\C:\Users\zoube\AppData\Local\Temp?
  48. Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 1704056
  49. Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1898819327
  50. Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 37
  51. Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 473754954
  52. Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 18397
  53. Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 4fff3b07-aec7-41b9-8984-5df91e1
  54. Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 2
  55. Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\WdiContextLog@FileCounter 1
  56. Reg HKLM\SYSTEM\CurrentControlSet\Services\AmdPPM\Parameters\Wdf@TimeOfLastTelemetryLog 0x5B 0x12 0xC5 0xC6 ...
  57. Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0x88 0x3F 0xE9 0xC6 ...
  58. Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x5B 0x12 0xC5 0xC6 ...
  59. Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{4e4ba383-4304-48fd-818e-00f29694cbe3}@LastProbeTime 1463439489
  60. Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x4B 0x89 0xDA 0xC6 ...
  61. Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{416C6C44-899C-47FC-ACE8-56EF610B10AB}@DefunctTimestamp 0x54 0x0C 0x3B 0x57 ...
  62. Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\38-72-c0-96-7b-4a@UPnPState 0
  63. Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\38-72-c0-96-7b-4a@AddressCreationTimestamp 0xD7 0x9E 0x4B 0x0D ...
  64. Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\38-72-c0-96-7b-4a@ClientLocalPort 49188
  65. Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\38-72-c0-96-7b-4a@UPnPExternalPort 49188
  66. Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\38-72-c0-96-7b-4a@TeredoAddress 2001:0:9d38:6abd:1cb5:3a97:92ae:2dbe
  67. Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0x23 0xF4 0x0A 0xCA ...
  68. Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog 0x6C 0x50 0x24 0xC5 ...
  69. Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x94 0x82 0x23 0xC7 ...
  70. Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3155
  71. Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 522
  72. Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 35
  73. Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62a2824b-6576-490c-9038-2c97eb244e68}@LeaseObtainedTime 1463487809
  74. Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62a2824b-6576-490c-9038-2c97eb244e68}@T1 1463531009
  75. Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62a2824b-6576-490c-9038-2c97eb244e68}@T2 1463563409
  76. Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{62a2824b-6576-490c-9038-2c97eb244e68}@LeaseTerminatesTime 1463574209
  77. Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0x5B 0x12 0xC5 0xC6 ...
  78. Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog 0x97 0xC5 0x39 0xC5 ...
  79. Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 6
  80. Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA0 0x43 0xB3 0x47 ...
  81. Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA0 0xAB 0x77 0xA9 ...
  82. Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA0 0xDB 0xEE 0xE5 ...
  83. Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x2F 0x68 0xDB 0x03 ...
  84. Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0
  85. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 11073
  86. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xEF 0xC4 0x3C 0x2F ...
  87. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xEF 0xC4 0x3C 0x2F ...
  88. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xEF 0xC4 0x3C 0x2F ...
  89. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xEF 0xC4 0x3C 0x2F ...
  90. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e
  91. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e@FileExtension jpg
  92. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e@Url wpnidm:http://store-images.s-microsoft.com/image/global.57333.acentoprodimg.658d2e7c-b63b-479c-9fa8-3c02352d16e9.b1f2aa27-415d-4188-ab04-2e68386a385a?w=600&foreground=%2300000033
  93. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e@FileName C:\Users\zoube\AppData\Local\Microsoft\Windows\Notifications\wpnidm\f0306e9e.jpg
  94. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e@FileSize 54818
  95. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e@Flag 1
  96. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e@LocalPath C:\Users\zoube\AppData\Local\Microsoft\Windows\Notifications\wpnidm\f0306e9e.jpg
  97. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App
  98. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e@Expiration 0x00 0x00 0x00 0x00 ...
  99. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e@NotificationsCount 1
  100. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\f0306e9e@Notifications 0xB3 0x8C 0x02 0x00 ...
  101. Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\remotesyncdummyid@PendingOperations 8192
  102.  
  103. ---- EOF - GMER 2.2 ----
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!