GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-23 11:08:26 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 HGST_HTS545050A7E380 rev.GG2OAC90 465,76GB Running: 32tk32lx.exe; Driver: C:\Users\ULA\AppData\Local\Temp\afrdipoc.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\dwm.exe[452] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007fffeb23b4e0 10 bytes JMP 00007fffe9ee0420 .text C:\WINDOWS\system32\dwm.exe[452] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007fffeb252a60 5 bytes JMP 00007fffe9ee03b0 .text C:\WINDOWS\system32\dwm.exe[452] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007fffeb2565c0 7 bytes JMP 00007fffe9ee0458 .text C:\WINDOWS\system32\dwm.exe[452] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007fffeb2567a0 5 bytes JMP 00007fffe9ee03e8 .text C:\WINDOWS\system32\dwm.exe[452] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007fffeb258960 9 bytes JMP 00007fffe9ee0378 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1408] C:\WINDOWS\system32\combase.dll!CoSetProxyBlanket 00007fffeae15b60 5 bytes JMP 00007fffe9ee07a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1408] C:\WINDOWS\system32\combase.dll!CoCreateInstance 00007fffeae3fb40 5 bytes JMP 00007fffe9ee0768 .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007fffe9efc960 5 bytes JMP 00007fffe9ee0180 .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007fffe9f0c610 6 bytes JMP 00007fffe9ee0148 .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007fffe9f2c8e0 5 bytes JMP 00007fffe9ee00d8 .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007fffe9f41430 5 bytes JMP 00007fffe9ee01b8 .text C:\WINDOWS\system32\sihost.exe[3144] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007fffe9f46ae0 5 bytes JMP 00007fffe9ee0110 .text C:\Windows\System32\SystemSettingsBroker.exe[3380] C:\WINDOWS\system32\combase.dll!CoSetProxyBlanket 00007fffeae15b60 5 bytes JMP 00007fffe9ee07a0 .text C:\Windows\System32\SystemSettingsBroker.exe[3380] C:\WINDOWS\system32\combase.dll!CoCreateInstance 00007fffeae3fb40 5 bytes JMP 00007fffe9ee0768 ? C:\WINDOWS\system32\apphelp.dll [7076] entry point in ".rdata" section 0000000072de0380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7076] entry point in ".rdata" section 0000000072d0d7a0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [7076] entry point in ".rdata" section 0000000070b28fa0 ? C:\Windows\SYSTEM32\ieproxy.dll [7076] entry point in ".rdata" section 0000000070a39290 ? C:\Windows\SYSTEM32\ActXPrxy.dll [7076] entry point in ".rdata" section 000000006fb5bd10 .text C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe[9752] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007fffe9efc960 5 bytes JMP 00007fffe9ee0180 .text C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe[9752] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007fffe9f0c610 6 bytes JMP 00007fffe9ee0148 .text C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe[9752] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007fffe9f2c8e0 5 bytes JMP 00007fffe9ee00d8 .text C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe[9752] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007fffe9f41430 5 bytes JMP 00007fffe9ee01b8 .text C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe[9752] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007fffe9f46ae0 5 bytes JMP 00007fffe9ee0110 .text C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe[9752] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory 00007fffe7006270 5 bytes JMP 00007fffe6ff00d8 .text C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe[9752] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory1 00007fffe70063d0 5 bytes JMP 00007fffe6ff0110 ? C:\WINDOWS\system32\apphelp.dll [5252] entry point in ".rdata" section 0000000072de0380 .text C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1608.2213.0_x64__8wekyb3d8bbwe\Calculator.exe[11776] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007fffe9efc960 5 bytes JMP 00007fffe9ee0180 .text C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1608.2213.0_x64__8wekyb3d8bbwe\Calculator.exe[11776] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007fffe9f0c610 6 bytes JMP 00007fffe9ee0148 .text C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1608.2213.0_x64__8wekyb3d8bbwe\Calculator.exe[11776] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007fffe9f2c8e0 5 bytes JMP 00007fffe9ee00d8 .text C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1608.2213.0_x64__8wekyb3d8bbwe\Calculator.exe[11776] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007fffe9f41430 5 bytes JMP 00007fffe9ee01b8 .text C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1608.2213.0_x64__8wekyb3d8bbwe\Calculator.exe[11776] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007fffe9f46ae0 5 bytes JMP 00007fffe9ee0110 .text C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1608.2213.0_x64__8wekyb3d8bbwe\Calculator.exe[11776] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory 00007fffe7006270 5 bytes JMP 00007fffe6ff00d8 .text C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1608.2213.0_x64__8wekyb3d8bbwe\Calculator.exe[11776] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory1 00007fffe70063d0 5 bytes JMP 00007fffe6ff0110 .text C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe[10824] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory 00007fffe7006270 5 bytes JMP 00007fffe6ff00d8 .text C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe[10824] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory1 00007fffe70063d0 5 bytes JMP 00007fffe6ff0110 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007fffecfe8ca0 5 bytes JMP 00007fff6d1b075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrLoadDll 00007fffecff0b30 5 bytes JMP 00007fff6d1b03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007fffed0855d0 16 bytes {MOV RAX, 0x7fffe08e2f54; JMP RAX} .text C:\Users\ULA\Downloads\FRST64.exe[3264] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007fffe9efc960 5 bytes JMP 00007fffe9ee0180 .text C:\Users\ULA\Downloads\FRST64.exe[3264] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007fffe9f0c610 6 bytes JMP 00007fffe9ee0148 .text C:\Users\ULA\Downloads\FRST64.exe[3264] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007fffe9f2c8e0 5 bytes JMP 00007fffe9ee00d8 .text C:\Users\ULA\Downloads\FRST64.exe[3264] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007fffe9f41430 5 bytes JMP 00007fffe9ee01b8 .text C:\Users\ULA\Downloads\FRST64.exe[3264] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007fffe9f46ae0 5 bytes JMP 00007fffe9ee0110 .text C:\Users\ULA\Downloads\FRST64.exe[3264] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007fffeb23b4e0 10 bytes JMP 00007fffe9ee0420 .text C:\Users\ULA\Downloads\FRST64.exe[3264] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007fffeb252a60 5 bytes JMP 00007fffe9ee03b0 .text C:\Users\ULA\Downloads\FRST64.exe[3264] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007fffeb2565c0 7 bytes JMP 00007fffe9ee0458 .text C:\Users\ULA\Downloads\FRST64.exe[3264] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007fffeb2567a0 5 bytes JMP 00007fffe9ee03e8 .text C:\Users\ULA\Downloads\FRST64.exe[3264] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007fffeb258960 9 bytes JMP 00007fffe9ee0378 ? C:\WINDOWS\system32\apphelp.dll [4176] entry point in ".rdata" section 0000000072de0380 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffff324002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\system32\shlwapi.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.494_none_a2d8b04ea53e3145\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.494_none_a2d8b04ea53e3145\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[9784] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fffc69c8ce4] C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffff324002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\system32\shlwapi.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.494_none_a2d8b04ea53e3145\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3212] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.494_none_a2d8b04ea53e3145\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3092] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffff324002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3092] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3092] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3092] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3092] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fffc69c8ce4] C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5568] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffff324002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5568] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5568] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5568] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5568] @ C:\WINDOWS\system32\shlwapi.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5568] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5568] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5568] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.494_none_a2d8b04ea53e3145\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5568] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.494_none_a2d8b04ea53e3145\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5568] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fffc69c8ce4] C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11396] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fffc69c8ce4] C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffff324002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\system32\shlwapi.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.494_none_a2d8b04ea53e3145\COMCTL32.dll[GDI32.dll!GetStockObject] [7ffff324006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.494_none_a2d8b04ea53e3145\COMCTL32.dll[USER32.dll!RegisterClassW] [7ffff163002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[11444] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fffc69c8ce4] C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [696:5360] fffff960a9914030 ---- Services - GMER 2.2 ---- Service E:\Programy\DAEMON Tools Lite\DiscSoftBusService.exe (*** hidden *** ) [MANUAL] Disc Soft Lite Bus Service <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SEC544B0_00_07DB_07^79AD4A6A0CD435C44926504656A9D5EF@Timestamp 0x5E 0x4E 0x17 0xC1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files\AVAST Software\Avast\setup\New_c0308e8\aswOfferTool.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_c0308e8\avBugReport.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_c0308e8\AvDump32.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_c0308e8\AvDump64.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_c0308e8\HTMLayout.dll??\??\C:\Program Files\AVAST Software\Avast\setup\New_c0308e8\Instup.dll??\??\C:\Program Files\AVAST Software\Avast\setup\New_c0308e8\instup.exe??\??\C:\Program Files\AVAST Software\Avast\setup\New_c0308e8\??\??\C:\Users\ULA\AppData\Local\Temp\_iu14D2N.tmp??\??\C:\ProgramData\Microsoft Help\Rgstrtn.lck??\??\C:\ProgramData\Microsoft Help\Rgstrtn.lck??\??\C:\Config.Msi\f7a530f.rbf??\??\C:\Config.Msi\f7a534a.rbf??\??\C:\Config.Msi\f7a534b.rbf??\??\C:\ProgramData\Microsoft Help\Rgstrtn.lck??\??\C:\ProgramData\Microsoft Help\Rgstrtn.lck??\??\E:\Config.Msi\f7a537d.rbf??\??\C:\ProgramData\Microsoft Help\Rgstrtn.lck??\??\E:\Config.Msi\f7a538a.rbf? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -499901743 Reg HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{9408753F-0B58-485C-9C1A-1CED1BC1BF33}\0000@DefaultSettings.XResolution 1600 Reg HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\UnitedVideo\CONTROL\VIDEO\{9408753F-0B58-485C-9C1A-1CED1BC1BF33}\0000@DefaultSettings.YResolution 900 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\dca97114f608 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\dca97114f608@94d771125594 0xB9 0xE1 0x26 0x10 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\dca97114f608@68a0f606ab51 0x5F 0xB4 0xD5 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@ImagePath "E:\Programy\DAEMON Tools Lite\DiscSoftBusService.exe" Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@DisplayName Disc Soft Lite Bus Service Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@DependOnService RPCSS? Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\Disc Soft Lite Bus Service Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 7401 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2326 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{845ed8dd-4095-4afc-b08c-e80f7e794f05}@LeaseObtainedTime 1474577335 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{845ed8dd-4095-4afc-b08c-e80f7e794f05}@T1 1632257335 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{845ed8dd-4095-4afc-b08c-e80f7e794f05}@T2 1750517335 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{845ed8dd-4095-4afc-b08c-e80f7e794f05}@LeaseTerminatesTime 1789937335 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x54 0x8D 0x3C 0x48 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x54 0xF5 0x00 0xAA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x54 0x25 0x78 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xF7 0xA8 0xA1 0x2F ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Files - GMER 2.2 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-3731761838-2529421182-3744087246-1001 0 bytes File C:\avast! sandbox\S-1-5-21-3731761838-2529421182-3744087246-1001\r28 0 bytes File C:\avast! sandbox\S-1-5-21-3731761838-2529421182-3744087246-1001\r28\Lavenders Botanicals_{66b18793-7a88-11e6-9bde-e811329a4ada} 0 bytes File C:\avast! sandbox\snx_rhive 16384 bytes File C:\avast! sandbox\snx_rhive.LOG1 16384 bytes File C:\avast! sandbox\snx_rhive.LOG2 12288 bytes File C:\avast! sandbox\snx_rhive{66b17506-7a88-11e6-9bde-e811329a4ada}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{66b17506-7a88-11e6-9bde-e811329a4ada}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{66b17506-7a88-11e6-9bde-e811329a4ada}.TMContainer00000000000000000002.regtrans-ms 524288 bytes File C:\Users\ULA\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00632d 44516 bytes ---- EOF - GMER 2.2 ----