GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-28 19:43:40 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: l9mzqb7t.exe; Driver: C:\Users\xxx\AppData\Local\Temp\pftiqpob.sys ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [736:788] 000007fefc78332c Thread C:\Windows\system32\svchost.exe [736:792] 000007fefc7810b0 Thread C:\Windows\System32\svchost.exe [960:1268] 000007fefaa959a0 Thread C:\Windows\System32\svchost.exe [960:2500] 000007fefcf31a70 Thread C:\Windows\System32\svchost.exe [960:2520] 000007fef94544e0 Thread C:\Windows\System32\svchost.exe [960:2308] 000007fef9478730 Thread C:\Windows\System32\svchost.exe [960:3460] 000007fef9c188f8 Thread C:\Windows\system32\svchost.exe [984:1076] 000007fef3fd506c Thread C:\Windows\system32\svchost.exe [984:1816] 000007fef5925170 Thread C:\Windows\system32\svchost.exe [984:2180] 000007fef5925170 Thread C:\Windows\system32\svchost.exe [984:1776] 000007fee828e1c4 Thread C:\Windows\system32\svchost.exe [984:3064] 000007fef7b71ab0 Thread C:\Windows\system32\svchost.exe [984:1724] 000007fef7ad4164 Thread C:\Windows\system32\svchost.exe [448:1492] 000007fef8ad0ea8 Thread C:\Windows\system32\svchost.exe [448:1536] 000007fef8ac9db0 Thread C:\Windows\system32\svchost.exe [448:1236] 000007fef8acaa10 Thread C:\Windows\system32\svchost.exe [448:1232] 000007fef8ad1c94 Thread C:\Windows\system32\svchost.exe [448:2736] 000007fef471d3c8 Thread C:\Windows\system32\svchost.exe [448:2740] 000007fef471d3c8 Thread C:\Windows\system32\svchost.exe [448:2744] 000007fef471d3c8 Thread C:\Windows\system32\svchost.exe [448:2748] 000007fef471d3c8 Thread C:\Windows\system32\svchost.exe [368:1844] 000007fef96ebec4 Thread C:\Windows\system32\svchost.exe [368:2968] 000007fef5925170 Thread C:\Windows\system32\svchost.exe [368:3032] 000007fef9065124 Thread C:\Windows\System32\spoolsv.exe [1352:1264] 000007fef28a10c8 Thread C:\Windows\System32\spoolsv.exe [1352:2964] 000007fef2866144 Thread C:\Windows\System32\spoolsv.exe [1352:120] 000007fef9385fd0 Thread C:\Windows\System32\spoolsv.exe [1352:2864] 000007fef2843438 Thread C:\Windows\System32\spoolsv.exe [1352:764] 000007fef93863ec Thread C:\Windows\System32\spoolsv.exe [1352:1664] 000007fef34c5e5c Thread C:\Windows\System32\spoolsv.exe [1352:1284] 000007fef28b5090 Thread C:\Windows\system32\svchost.exe [1392:1420] 000007fefcf31a70 Thread C:\Windows\system32\svchost.exe [1392:1472] 000007fefcf31a70 Thread C:\Windows\system32\svchost.exe [1392:1540] 000007fefcf31a70 Thread C:\Windows\system32\svchost.exe [1392:1552] 000007fef9cb2c70 Thread C:\Windows\system32\svchost.exe [1392:1568] 000007fef9cbfb40 Thread C:\Windows\system32\svchost.exe [1392:1580] 000007fef9cd1d20 Thread C:\Windows\system32\svchost.exe [1392:1584] 000007fef9cbf6f0 Thread C:\Windows\system32\svchost.exe [1392:1684] 000007fef9c535c0 Thread C:\Windows\system32\svchost.exe [1392:1688] 000007fef9c55600 Thread C:\Windows\system32\svchost.exe [1392:1592] 000007fef8132888 Thread C:\Windows\system32\svchost.exe [1392:1788] 000007fef8122940 Thread C:\Windows\system32\svchost.exe [1392:2584] 000007fef8132a40 Thread C:\Windows\system32\taskhost.exe [1444:1476] 000007fefaa42740 Thread C:\Windows\system32\taskhost.exe [1444:1524] 000007fefaa31f38 Thread C:\Windows\system32\taskhost.exe [1444:2032] 000007fef8751010 Thread C:\Windows\system32\svchost.exe [1620:2040] 000007fef9385fd0 Thread C:\Windows\system32\svchost.exe [1620:2044] 000007fef93863ec Thread C:\Windows\system32\svchost.exe [1620:3024] 000007fef4258470 Thread C:\Windows\system32\svchost.exe [1620:3028] 000007fef4262418 Thread C:\Windows\system32\svchost.exe [1620:2476] 000007fef3bd5ec0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2928:3060] 000007fefba62ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2928:2056] 000007fef9065124 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2060:2624] 00000000772e7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2060:2644] 00000000751c0cb3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2060:520] 00000000777a41f3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2060:2436] 00000000777a6679 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2060:2068] 00000000777a6679 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2060:3456] 00000000777a6679 Thread C:\Windows\System32\svchost.exe [1184:616] 000007fee8619688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da@ACSettingIndex 1800 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da@DCSettingIndex 900 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\9d7815a6-7ee4-497e-8888-515a05f02364@ACSettingIndex 43200 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\238c9fa8-0aad-41ed-83f4-97be242c8f20\9d7815a6-7ee4-497e-8888-515a05f02364@DCSettingIndex 10800 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\17aaa29b-8b43-4b94-aafe-35f64daaf1ee@DCSettingIndex 300 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e@ACSettingIndex 900 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e@DCSettingIndex 600 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\381b4222-f694-41f0-9685-ff5bb260df2e\7516b95f-f776-4464-8c53-06167f40cc99\aded5e82-b909-4619-9949-f5d71dac0bcb@DCSettingIndex 50 Reg HKLM\SYSTEM\CurrentControlSet\services\TrustedInstaller@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\TrustedInstaller ---- Files - GMER 2.2 ---- File C:\Windows\assembly\NativeImages_v2.0.50727_64\index139.dat 0 bytes File C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\6db4f323fc83a2a96893e68f4bd884f1 0 bytes File C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Seri#\d0c6d3aadce1e38bbcb06905e132a503 0 bytes File C:\Windows\Temp\TMP000000012FB3194B09357B8C 524288 bytes ---- EOF - GMER 2.2 ----