Re: Fileless malware
Napsal: 16 úno 2018 20:08
Podle všeho v PC žádný malware není.
GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2018-02-16 20:35:27
Windows 6.2.9200 x64
Running: gmer.exe
---- Registry - GMER 2.2 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1444346276
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_15178526382032322@SetupOperations ???I???? J?J?J?J K?K???????? ????|??????????????????????????????? ???????I???????????I???????? ??????????????????????????I??????Commited?????I?I?I?I?I?I?????????????????????????????????C???????????????I???e???????????????????????????|???????????????????|??????????? ???????/?????????????/??????????j?&????????????????????????o???I???I??????????????MoveFile("\??\C:\Program Files\AVAST Software\Avast\afw14F0.tmp","\??\C:\Program Files\AVAST Software\Avast\afwServ.exe",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\afw14F1.tmp","\??\C:\Program Files\AVAST Software\Avast\afwCore.dll",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\afw14F2.tmp","\??\C:\Program Files\AVAST Software\Avast\afwCoreClient.dll",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\afw1503.tmp","\??\C:\Program Files\AVAST Software\Avast\afwCoreServ.dll",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\afw1504.tmp","\??\C:\Program Files\AVAST Software\Avast\afwGeoIP.dll",TRUE)?MoveFile("\??\C:\Program File
Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_15184512714062326@SetupOperations ???pft???&???????e???????????????????n???????????r???????d??v2.27|AppPkgId=S-1-15-2-4177018473-2823706547-3652141868-2730301309-560159678-43221128-488844051|LUOwn=S-1-5-21-3293991828-597369053-3185864033-1002|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-4177018473-2823706547-3652141868-2730301309-560159678-43221128-488844051|M=microsoft.print3d_8wekyb3d8bbwe|Name=Print 3D|Desc=Print 3D|D=C:\Program Files\WindowsApps\Microsoft.Print3D_2.0.3621.0_x64__8wekyb3d8bbwe\|PFN=Microsoft.Print3D_2.0.3621.0_x64__8wekyb3d8bbwe|???v2.27|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.People_10.3.3472.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.People/Resources/AppStoreName}|Desc=@{Microsoft.People_10.3.3472.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.People/Resources/AppStoreName}|LUOwn=S-1-5-21-3293991828-597369053-3185864033-1002|AppPkgId=S-1-15-2-3981118486-977731610-4260702232-2292029000-2544493239-2660358776-1526570402|EmbedCtxt=@{Microsoft.People_10.3.3472.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.People/Resources/Ap
Reg HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-3293991828-597369053-3185864033-1002@SequenceNumber 61
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-22-6b-05-81-ae@AddressCreationTimestamp 0x83 0x9F 0x97 0x10 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-22-6b-05-81-ae@NatDetectionTimestamp 0x83 0x9F 0x97 0x10 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-22-6b-05-81-ae@TeredoAddress 2001:0:9d38:6ab8:cb6
4d00:57b1Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMChameleon@ProtectedRegistry ???o?c??????????0????????????????????????????????????? ????????????????????????(??????P?????????????????????????? ???????j???????????`??????????J?????0??????????a????????????J??j??????0???E64B9AEE-F372-4312-9A14-8F1502B5C8E3??????????????????0?????? ???????H?????c?????j????????$?j?????????????????b??j?????????e????@%SystemRoot%\system32\SharedRealitySvc.dll,-100?????j?j?j?j?j?j?j?j?j?j?j????????????????????????j??j????????h?????%SystemRoot%\system32\svchost.exe -k LocalService -p????????????????t??????? ?????????????b??j?????????n????@%SystemRoot%\system32\SharedRealitySvc.dll,-101?????????b???????????e??? 4??j??????????????NT AUTHORITY\LocalService?????????????????????????0??j??????????????????SeImpersonatePrivilege????????4??j???i???????i??????????????????????????????? ???????j???????????h????????,?V??? ???????????? V??j??????????????%SystemRoot%\System32\SharedRealitySvc.dll??????????????????????????????? ???????j???????????j???????????????????????????j??????????????????0????????????????p?????????????????
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2850
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1277
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xCE 0x7D 0x78 0xB8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xCE 0xE5 0x3C 0x1A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xCE 0x15 0xB4 0x56 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 6
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{9D8A0DCB-2BEF-4461-83F4-6D9991350429}@LastAccessedTime 0x00 0x1D 0x37 0xD8 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\{9D8A0DCB-2BEF-4461-83F4-6D9991350429}@LaunchCount 12
---- EOF - GMER 2.2 ----