GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-15 03:04:53 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 WDC_WD10JPVX-75JC3T0 rev.01.01A01 931,51GB Running: w5l813ti.exe; Driver: C:\Users\USER1\AppData\Local\Temp\pglcapog.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [1972] entry point in ".rdata" section 000000007323d380 ? C:\Windows\SYSTEM32\ActXPrxy.dll [1972] entry point in ".rdata" section 000000007263bd10 ? C:\WINDOWS\SYSTEM32\apphelp.dll [1972] entry point in ".rdata" section 0000000072d90380 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [1972] entry point in ".rdata" section 0000000069f1bb10 ? C:\WINDOWS\system32\apphelp.dll [1736] entry point in ".rdata" section 0000000072d90380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [632:684] fffff960b0d84030 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions NOEXECUTE=OPTIN Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\MSBDD_CMN17340_14_07DD_41_1414_008D_FFFFFFFF_FFFFFFFF_0^04A94FCF69F1F3F432EA28EE31C48BC2@Timestamp 0x59 0x71 0xF2 0x3F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 912 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files\Trend Micro\AMSP\update\AMSP_Module??\??\C:\Program Files\Trend Micro\AMSP\update\engine??\??\C:\Program Files\Trend Micro\AMSP\update\pattern??\??\C:\Program Files\Trend Micro\AMSP\update\3rdComponent??\??\C:\Program Files\Trend Micro\AMSP\update\bootstrap_helper??\??\C:\Program Files\Trend Micro\AMSP\update\backup??\??\C:\Program Files\Trend Micro\AMSP\update\program??\??\C:\Program Files\Trend Micro\AMSP\update\patch??\??\C:\Program Files\Trend Micro\AMSP\update\security_patch??\??\C:\Program Files\Trend Micro\AMSP\update\security_patch??\??\C:\Program Files\Trend Micro\Titanium\plugin\Pt\Sponge\Cache\bootup_info.json??\??\C:\Program Files\Trend Micro\Titanium\plugin\Pt\Sponge\Cache\idle_history.json??\??\C:\Program Files\Trend Micro\Titanium\plugin\Pt\Sponge\Cache\overview.json??\??\C:\Program Files\Trend Micro\AMSP\update\security_patch??\??\C:\Program Files\Trend Micro\AMSP\update\security_patch?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3774068 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1503769214 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 23 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 478722459 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 3584 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 3322 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID fd40aea0-8e5b-4c40-81f6-490fa63 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\WMZuneComm@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\amdsbs\Parameters\Device-1@RaidCount 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\9cd21ee5bf84 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{58aa7e5b-f928-4eb9-aca5-f04da1767ee6}@LastProbeTime 1468526226 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2891 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 830 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1235 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0ca29e32-c87e-4ca8-8bfb-3fb77c5e90f0}@LeaseObtainedTime 1468536718 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0ca29e32-c87e-4ca8-8bfb-3fb77c5e90f0}@T1 1468579918 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0ca29e32-c87e-4ca8-8bfb-3fb77c5e90f0}@T2 1468612318 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0ca29e32-c87e-4ca8-8bfb-3fb77c5e90f0}@LeaseTerminatesTime 1468623118 Reg HKLM\SYSTEM\CurrentControlSet\Services\TMEBC@EBCflag 1610381995 Reg HKLM\SYSTEM\CurrentControlSet\Services\TMEBC\fbak Reg HKLM\SYSTEM\CurrentControlSet\Services\TMEBC\fbak@1 0xA1 0x5E 0x8D 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\TMEBC\rcln Reg HKLM\SYSTEM\CurrentControlSet\Services\TMEBC\rcln@1 0x48 0x92 0x43 0xE8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\TMEBC\rcln@2 0xB5 0xC3 0x6A 0xE9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xD6 0x34 0x29 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 10308 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 10309 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 10130 10136 10148 10158 10168 10188 10232 10242 10280 10286 10302 ---- Files - GMER 2.2 ---- File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\72169814A186295DBDF515B60594D17E16307A9E 52186 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\C6B9D39C068C7D538506B6817587082AC7212D8B 11367 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\038A9BDB9670074313911B73FFE74C134F172E70 3109 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\01524648E73AE71FA5BD69EAD93F949160804EE9 904 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\F85BBFD23A22BEF5AE3775C9081455DA454FA25B 13431 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\EE7D56F06821C728AA9F418407F13733B75B71BC 11362 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\A615057B0CD9BE3FD2A820D2CCF0D75A9C8DB825 14403 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\6F7A3D95A9EE7787B4EB018302A26894811B0BA5 515891 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\29AD34DAE758C91B0DDE477AC4D5D0AED8CDA14C 8306 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\0F2BD8386DED2C940E9BBF814FF416FC3AF96038 904 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\40465C295377EFD65C95894B2DA70566B0D36DD3 1839 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\36F6D97F645C9623BCE212429AA0B3AF0FF62AC0 868 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\36FD5BEC26627CF08632FD36180376DB1811569F 26985 bytes File C:\Users\USER1\AppData\Local\Mozilla\Firefox\Profiles\54pvmnnl.default-1460639963953\cache2\entries\719A92A76F23C015CF76C61EC775FC83CFE29BE0 5147 bytes ---- EOF - GMER 2.2 ----