GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-05 22:08:52 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0002 465,76GB Running: p2tyhyvv.exe; Driver: C:\Users\MI\AppData\Local\Temp\fwdyikob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [632:664] ffff951922136c20 Thread C:\WINDOWS\system32\svchost.exe [528:3240] 0000017393650d3c Thread C:\WINDOWS\system32\svchost.exe [528:3256] 0000017393690e4c Thread C:\WINDOWS\system32\svchost.exe [528:3384] 00000173936d0d3c Thread C:\WINDOWS\system32\svchost.exe [528:3396] 0000017393650d3c Thread C:\WINDOWS\system32\svchost.exe [528:3416] 0000017393f115cc Thread C:\WINDOWS\system32\svchost.exe [528:3420] 0000017393690e4c Thread C:\WINDOWS\system32\svchost.exe [528:3424] 00000173936d0d3c Thread C:\WINDOWS\system32\svchost.exe [528:3436] 00000173927e0c8c Thread C:\WINDOWS\system32\svchost.exe [528:3440] 0000017393650d3c Thread C:\WINDOWS\system32\svchost.exe [528:3444] 0000017392830c8c Thread C:\WINDOWS\system32\svchost.exe [528:3448] 0000017393f115cc Thread C:\WINDOWS\system32\svchost.exe [528:3460] 0000017393690e4c Thread C:\WINDOWS\system32\svchost.exe [528:3464] 00000173936d0d3c Thread C:\WINDOWS\system32\svchost.exe [528:3524] 0000017393647378 Thread C:\WINDOWS\system32\svchost.exe [528:3528] 0000017393647378 Thread C:\WINDOWS\system32\svchost.exe [528:3536] 0000017393687378 Thread C:\WINDOWS\system32\svchost.exe [528:3532] 00000173936c7378 Thread C:\WINDOWS\system32\svchost.exe [528:3544] 0000017393687378 Thread C:\WINDOWS\system32\svchost.exe [528:3540] 00000173936c7378 Thread C:\WINDOWS\system32\svchost.exe [528:3616] 00000173927e0c8c Thread C:\WINDOWS\system32\svchost.exe [528:3620] 0000017392830c8c Thread C:\WINDOWS\system32\svchost.exe [528:3624] 0000017393f115cc Thread C:\WINDOWS\system32\svchost.exe [528:3632] 0000017393f07378 Thread C:\WINDOWS\system32\svchost.exe [528:3636] 0000017393f07378 Thread C:\WINDOWS\system32\svchost.exe [528:3748] 00000173927d7378 Thread C:\WINDOWS\system32\svchost.exe [528:3744] 0000017392827378 Thread C:\WINDOWS\system32\svchost.exe [528:3752] 00000173927d7378 Thread C:\WINDOWS\system32\svchost.exe [528:3756] 0000017392827378 Thread C:\WINDOWS\system32\svchost.exe [528:3788] 00000173927e0c8c Thread C:\WINDOWS\system32\svchost.exe [528:3792] 0000017392830c8c Thread C:\WINDOWS\SysWOW64\svchost.exe [3964:2140] 0000000003642acf Thread C:\WINDOWS\SysWOW64\svchost.exe [3964:2056] 0000000003642acf Thread C:\WINDOWS\SysWOW64\svchost.exe [3964:804] 0000000003642acf Thread C:\WINDOWS\SysWOW64\svchost.exe [3964:4952] 0000000003642acf Thread C:\WINDOWS\SysWOW64\svchost.exe [3964:1584] 0000000003642acf Thread C:\WINDOWS\SysWOW64\svchost.exe [2864:3900] 000000000319100e Thread C:\WINDOWS\SysWOW64\svchost.exe [2864:3896] 000000000319100e Thread C:\WINDOWS\SysWOW64\svchost.exe [2864:3480] 000000000319100e Thread C:\WINDOWS\SysWOW64\svchost.exe [2864:1620] 000000000319100e Thread C:\WINDOWS\SysWOW64\svchost.exe [2864:320] 000000000319100e ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 980214135 Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\9@Timestamp 0xEB 0x9E 0x32 0x3A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{716f54c7-54ee-4f94-86f0-c1f8155b43dc}@LeaseObtainedTime 1496690131 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{716f54c7-54ee-4f94-86f0-c1f8155b43dc}@T1 1496691931 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{716f54c7-54ee-4f94-86f0-c1f8155b43dc}@T2 1496693281 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{716f54c7-54ee-4f94-86f0-c1f8155b43dc}@LeaseTerminatesTime 1496693731 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xCC 0x6D 0x39 0xBB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xCC 0xD5 0xFD 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xCC 0x05 0x75 0x59 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x34 0x51 0xD2 0x22 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{52B264AD-CF5D-4DEA-968F-DF91C9B0CA05}@LastAccessedTime 0xE0 0x6C 0x05 0x69 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{52B264AD-CF5D-4DEA-968F-DF91C9B0CA05}@LaunchCount 5 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{B06D61C5-4246-4A82-90E4-3C3522CB6929}@LastAccessedTime 0x60 0xCF 0xD0 0xA3 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{B06D61C5-4246-4A82-90E4-3C3522CB6929}@LaunchCount 6 ---- EOF - GMER 2.2 ----