GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-05 16:08:51 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d ST1000LM014-SSHD-8GB rev.LVD4 931,51GB Running: cyu2uc4i.exe; Driver: C:\Users\MARTYN~1\AppData\Local\Temp\fxlyrpod.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [1748] entry point in ".rdata" section 0000000073ef0380 ? C:\WINDOWS\system32\apphelp.dll [2140] entry point in ".rdata" section 0000000073ef0380 ? C:\WINDOWS\system32\apphelp.dll [2264] entry point in ".rdata" section 0000000073ef0380 ? C:\WINDOWS\system32\apphelp.dll [2488] entry point in ".rdata" section 0000000073ef0380 ? C:\WINDOWS\system32\apphelp.dll [2876] entry point in ".rdata" section 0000000073ef0380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2876] entry point in ".rdata" section 000000007286d7a0 ? C:\WINDOWS\system32\apphelp.dll [3980] entry point in ".rdata" section 0000000073ef0380 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [3980] entry point in ".rdata" section 000000006d8f8fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3980] entry point in ".rdata" section 000000007286d7a0 ? C:\WINDOWS\system32\apphelp.dll [2108] entry point in ".rdata" section 0000000073ef0380 ? C:\WINDOWS\system32\apphelp.dll [1944] entry point in ".rdata" section 0000000073ef0380 ? C:\WINDOWS\system32\apphelp.dll [4476] entry point in ".rdata" section 0000000073ef0380 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [4476] entry point in ".rdata" section 000000006d8f8fa0 ? C:\Windows\SYSTEM32\iertutil.dll [4476] entry point in ".rdata" section 000000007286d7a0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [4476] entry point in ".rdata" section 000000006a02bd10 ? C:\WINDOWS\system32\mssprxy.dll [4476] entry point in ".rdata" section 000000006861a4e0 ? C:\WINDOWS\system32\apphelp.dll [7408] entry point in ".rdata" section 0000000073ef0380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [640:684] fffff96011144030 Thread C:\WINDOWS\system32\svchost.exe [1488:3084] 00007fff997c1240 Thread C:\WINDOWS\system32\svchost.exe [1488:3132] 00007fff997529b0 Thread C:\WINDOWS\system32\svchost.exe [1488:3576] 00007fff9c253d30 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x62 0x68 0x61 0xDA ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x55 0x53 0xF1 0x9D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x62 0x68 0x61 0xDA ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x55 0x53 0xF1 0x9D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 48 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\BOE06100_01_07DE_04^62DF3EB62B57094435B2926B3BC51C22@Timestamp 0x35 0xE2 0x9B 0xDA ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 788 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1349553783 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID de714c66-90be-4c5c-8077-3b4ccc9 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{6c5f6af7-6351-45dd-ba63-7815dd3af516} Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS_s Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\d07e35d6c314 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{b2f03d8f-f446-478a-bbfb-12147c1402d4}@LastProbeTime 1473087373 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_38289\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_38289\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_38289\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_38289\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_38289\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_38289\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_38289\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_38289\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_38289\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_38289\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_38289\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_38289\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_38289\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?pon.?, ?wrz ?05 ?16, 02:59:21????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8931 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 3408 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 47 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b76f0937-0d23-4a67-aadb-27fee63a6f32}@LeaseObtainedTime 1473080172 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b76f0937-0d23-4a67-aadb-27fee63a6f32}@T1 1473081972 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b76f0937-0d23-4a67-aadb-27fee63a6f32}@T2 1473083322 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b76f0937-0d23-4a67-aadb-27fee63a6f32}@LeaseTerminatesTime 1473083772 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_38289\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_38289\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_38289\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_38289\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xC8 0xEE 0x63 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xC8 0x56 0x28 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xC8 0x86 0x9F 0x40 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xAA 0x67 0x05 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0xE0 0x82 0x3B 0x61 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x39 0x97 0x3B 0x61 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x39 0x97 0x3B 0x61 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x39 0x97 0x3B 0x61 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x39 0x97 0x3B 0x61 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xD8 0xED 0xD9 0x2A ... Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_igfxHK.exe_e6d28b21348c3b7c1c4bd222288477424765868_fed373c3_11490421 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0x72 0x02 0x01 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Windows\SoftwareDistribution\SLS\Slot_00000001.save 3683150 bytes File C:\Windows\SoftwareDistribution\SLS\Slot_00000001.save.ver0 3683680 bytes File C:\Windows\SoftwareDistribution\SLS\Slot_00000001.save.ver1 3666807 bytes File C:\Windows\SoftwareDistribution\SLS\Slot_00000001.save.ver2 3665497 bytes File C:\Windows\SoftwareDistribution\SLS\Slot_00000001.save.ver3 3652923 bytes File C:\Windows\SoftwareDistribution\SLS\Slot_00000001.save.ver4 3663615 bytes File C:\Windows\SoftwareDistribution\SLS\Slot_00000002.save 4857392 bytes ---- EOF - GMER 2.2 ----