GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-08 14:36:09 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\0000002e Patriot_Blaze rev.S9FM02.6 111,79GB Running: 91lhvhuh.exe; Driver: C:\Users\nowy\AppData\Local\Temp\aflcyaod.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [664:784] fffff960a4784030 Thread C:\WINDOWS\system32\svchost.exe [1316:3424] 00007fff055a1240 Thread C:\WINDOWS\system32\svchost.exe [1316:3428] 00007fff05589490 Thread C:\WINDOWS\system32\svchost.exe [1316:3468] 00007fff049329b0 Thread C:\WINDOWS\system32\svchost.exe [1316:4864] 00007ffef8b43d30 Thread C:\WINDOWS\Explorer.EXE [3492:760] 00007ffee5cc0250 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xA1 0xD7 0x0D 0xA1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x1C 0x7F 0x09 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xA1 0xD7 0x0D 0xA1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xD9 0xE1 0x0B 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 31 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\GSM59CA16843009_01_07DD_98^8888F5E34F18B67D8B90B31E21160595@Timestamp 0x47 0x65 0xE2 0xA1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 744 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1326980631 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 796cbc87-51ce-4c30-ba60-e25e621 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{c51c02e1-cca8-4651-b56c-92a67f4bafb5} Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{872559fa-8726-4f23-8f4b-ae8276c129df}@LastProbeTime 1467986995 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56ec4\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56ec4\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56ec4\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56ec4\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56ec4\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56ec4\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56ec4\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56ec4\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56ec4\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_56ec4\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_56ec4\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_56ec4\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_56ec4\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 30 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84238589-07c6-4aac-83b9-282d5d1388f0}@LeaseObtainedTime 1467979793 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84238589-07c6-4aac-83b9-282d5d1388f0}@T1 1467983393 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84238589-07c6-4aac-83b9-282d5d1388f0}@T2 1467986093 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{84238589-07c6-4aac-83b9-282d5d1388f0}@LeaseTerminatesTime 1467986993 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_56ec4\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_56ec4\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_56ec4\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_56ec4\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x40 0x1C 0x66 0xC4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x40 0x84 0x2A 0x26 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x40 0xB4 0xA1 0x62 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x1D 0x8B 0x09 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 102 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x68 0xA7 0x61 0xA0 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x68 0xA7 0x61 0xA0 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x68 0xA7 0x61 0xA0 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 1529 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x68 0xA7 0x61 0xA0 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63603576660507%3bID%3dB418477BA74763FA!104%3bLR%3d63603532040960%3bEP%3d10%3bSI%3d42%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x7D 0x46 0xF1 0x17 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x22 0x46 0xC6 0xCC ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome.Gejelekagied.ChromeDefaultData? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x20 0x9A 0xC8 0x33 ... Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_NVIDIA Web Helpe_b9817ba995ed4d4cff84be3565cb66b01f15bdbb_2ecb5dcc_1d78a2e7 ---- EOF - GMER 2.2 ----