GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-24 16:41:47 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000022 WDC_WD5000LPCX-24C6HT0 rev.02.01A02 465,76GB Running: c3dkq2tg.exe; Driver: C:\Users\Mariusz\AppData\Local\Temp\fxlyrpog.sys ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4140] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ffe22db006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2564] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffe22db002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2564] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffe22db006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2564] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ffe22db006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2564] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffdac87404c] C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.143\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffe22db002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffe22db006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ffe22db006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4040] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffdac87404c] C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.143\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3076] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ffe22db002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3076] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ffe22db006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3076] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ffe22db006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3076] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffdac87404c] C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.143\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [7556:3844] fffff960009c42d0 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [7292] 000000006d5a0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [7292] 000000006cf30000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [7292] 000000006cb30000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [7292] 000000006c580000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [7292] 000000006b6f0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [7292] 0000000063d00000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ????????????????????? ????????????????????????????????????????r?????? ??????????????????????????????????????????? ????????^???????????????L?????????????s???? ??????????????????????????????????&????????????????????o???????????n??sl??aswHwid??Q??????????????1????C???????a??????????????????????$UserProfile$\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\*.fsf?$UserProfile$\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\*.fsd?$UserProfile$\Local Settings\Application Data\Office\16.0\OfficeFileCache\*.fsd?$UserProfile$\Local Settings\Application Data\Office\16.0\OfficeFileCache\*.fsf?$UserProfile$\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\LocalCacheFileEditManager\*.fsf?$UserProfile$\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\LocalCacheFileEditManager\*.fsd?$UserProfile$\Local Settings\Application Data\Office\16.0\OfficeFileCache\LocalCacheFileEditManager\*.fsd?$UserProfile$\Local Settings\Application Data\Office\16.0\OfficeFileCache\LocalCacheFileEditManager\*.fsf?$UserProfile$\AppDa Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\BOE061D0_01_07DE_E5^39838BE016FD346DD8848B66E5E8B9EE@Timestamp 0x1E 0xF4 0x65 0xAD ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 77241056 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 178082134 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 178079093 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 178079093 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 178081740 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 2529 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x99 0x96 0xD2 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14741239197342280@SetupOperations ???/?????/?0?0?????/???/????? ???????/???????????????????? ??????????????????????????/??????Package??&????@??????/???????????&?????t?#???????????&?????t?????????/??????????????????ve???????/???????????s?????/?????0?0?1?1?1??? ???????/?????/?????/??????????P?(??????????????????????????/?/?/?/?/?/?/?/?????????????v???v????????????????????????P??/????????h??_??\SystemRoot\system32\drivers\aswSnx.sys?ys??64???????/?????????e????aswSnx?v??????0??/??????p???FSFilter Virtualization??????????/??????????????FltMgr????????L??/???i?????ncr??avast! virtualization driver (aswSnx)???? ???????/?????/?????/?????????? ?????????srce???? ??/???????????e??aswSnx Instance?l\???/?????/???/????? ???????/???????????/???????????????????????e???????/???)??????137600???c???/?/????????????????s:?????/????? ???????/???????????/??????????T??? ??????428??? T??/???6??????rd??\??\C:\Program Files\AVAST Software\Avast????/?/????? P??/???8?????5-C??\??\C:\ProgramData\AVAST Software\Avast?on??? ???????/?????/?????/??????????N?)?????Pv????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14741246135152280@SetupOperations ???/?????0?0?1?1?1??? ???????/?????/?????/??????????P?(??????????????????????????/?/?/?/?/?/?/?/?????????????v???v????????????????????????P??/????????h??_??\SystemRoot\system32\drivers\aswSnx.sys?ys??64???????/?????????e????aswSnx?v??????0??/??????p???FSFilter Virtualization??????????/??????????????FltMgr????????L??/???i?????ncr??avast! virtualization driver (aswSnx)???? ???????/?????/?????/?????????? ?????????srce???? ??/???????????e??aswSnx Instance?l\???/?????/???/????? ???????/???????????/???????????????????????e???????/???)??????137600???c???/?/????????????????s:?????/????? ???????/???????????/??????????T??? ??????428??? T??/???6??????rd??\??\C:\Program Files\AVAST Software\Avast????/?/????? P??/???8?????5-C??\??\C:\ProgramData\AVAST Software\Avast?on??? ???????/?????/?????/??????????N?)?????Pv???????????)???)???/?/?/?/?/?/?/?/????????????? ??te???????????g??????om????N??/???\????hogr??\SystemRoot\system32\drivers\aswSP.sys?ys????????/?????????e:\??aswSP?????6??/???e??po??FSFilter Security Enhancer?lic? Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\2c337a3b9462 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{78E3D79F-7FC2-4E2A-A44F-D499196FE97C}@DefunctTimestamp 0x55 0x4A 0x0B 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-f0-81-18-f6-db@ClientLocalPort 51567 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-f0-81-18-f6-db@AddressCreationTimestamp 0xEA 0x31 0x1D 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-f0-81-18-f6-db@TeredoAddress 2001:0:9d38:90d7:34c9:3690:da06:9c5d Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastSqmLog 0xF8 0x62 0x28 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 6249 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 4448 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1385 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{19AEDA03-169F-4646-8F7F-7B35F24AA281}@LeaseObtainedTime 1477222587 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{19AEDA03-169F-4646-8F7F-7B35F24AA281}@T1 1477265787 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{19AEDA03-169F-4646-8F7F-7B35F24AA281}@T2 1477298187 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{19AEDA03-169F-4646-8F7F-7B35F24AA281}@LeaseTerminatesTime 1477308987 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----