GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-09 10:55:16 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000042 SanDisk_SDSSDA120G rev.U21010RL 111,79GB Running: g2ugbqi5.exe; Driver: C:\Users\biartyy\AppData\Local\Temp\fxldqpob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\taskhostex.exe[1840] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Windows\system32\taskhostex.exe[1840] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Windows\system32\taskhostex.exe[1840] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Windows\system32\taskhostex.exe[1840] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3376] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3376] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3376] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3376] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4536] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01b0f93 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4536] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01b0f07 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4536] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01b0f47 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4536] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01b0fd3 .text C:\Program Files\Logitech Gaming Software\LCore.exe[5036] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Program Files\Logitech Gaming Software\LCore.exe[5036] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Program Files\Logitech Gaming Software\LCore.exe[5036] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Program Files\Logitech Gaming Software\LCore.exe[5036] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Program Files\iTunes\iTunesHelper.exe[4924] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Program Files\iTunes\iTunesHelper.exe[4924] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Program Files\iTunes\iTunesHelper.exe[4924] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Program Files\iTunes\iTunesHelper.exe[4924] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Program Files\ESET\ESET Smart Security\egui.exe[5096] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Program Files\ESET\ESET Smart Security\egui.exe[5096] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Program Files\ESET\ESET Smart Security\egui.exe[5096] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Program Files\ESET\ESET Smart Security\egui.exe[5096] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe[2156] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe[2156] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe[2156] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe[2156] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Program Files\iTunes\iTunes.exe[5416] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9cfca0f8e .text C:\Program Files\iTunes\iTunes.exe[5416] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9cfca0f0e .text C:\Program Files\iTunes\iTunes.exe[5416] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9cfca0f4e .text C:\Program Files\iTunes\iTunes.exe[5416] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9cfca0fce .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\USER32.dll!ShowScrollBar 00007ff9ce251150 5 bytes JMP 00007ff94e2c0018 .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\USER32.dll!SetScrollInfo 00007ff9ce25c770 5 bytes JMP 00007ff94e270018 .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\USER32.dll!GetScrollInfo 00007ff9ce2666f0 5 bytes JMP 00007ff94e280018 .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\USER32.dll!SetScrollRange 00007ff9ce2690c0 5 bytes JMP 00007ff94e290018 .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\USER32.dll!SetScrollPos 00007ff9ce2850d0 5 bytes JMP 00007ff94e300018 .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\USER32.dll!EnableScrollBar 00007ff9ce287340 5 bytes JMP 00007ff94e2a0018 .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\USER32.dll!GetScrollPos 00007ff9ce28fcc0 5 bytes JMP 00007ff94e2b0018 .text C:\Program Files\CCleaner\CCleaner64.exe[5972] C:\Windows\system32\USER32.dll!GetScrollRange 00007ff9ce2ded20 5 bytes JMP 00007ff94e2f0018 .text C:\Windows\system32\conhost.exe[4340] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Windows\system32\conhost.exe[4340] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Windows\system32\conhost.exe[4340] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Windows\system32\conhost.exe[4340] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Program Files\Killer Networking\Network Manager\NetworkManager.exe[5396] C:\Windows\system32\KERNEL32.dll!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Program Files\Killer Networking\Network Manager\NetworkManager.exe[5396] C:\Windows\system32\KERNEL32.dll!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Program Files\Killer Networking\Network Manager\NetworkManager.exe[5396] C:\Windows\system32\KERNEL32.dll!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Program Files\Killer Networking\Network Manager\NetworkManager.exe[5396] C:\Windows\system32\KERNEL32.dll!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Program Files (x86)\Common Files\Portrait Displays\Shared\HookManager.exe[6196] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Program Files (x86)\Common Files\Portrait Displays\Shared\HookManager.exe[6196] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Program Files (x86)\Common Files\Portrait Displays\Shared\HookManager.exe[6196] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Program Files (x86)\Common Files\Portrait Displays\Shared\HookManager.exe[6196] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe[6576] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe[6576] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe[6576] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe[6576] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text G:\METAL WORKOUT\NEW#1\FRST64 (1).exe[1096] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text G:\METAL WORKOUT\NEW#1\FRST64 (1).exe[1096] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text G:\METAL WORKOUT\NEW#1\FRST64 (1).exe[1096] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text G:\METAL WORKOUT\NEW#1\FRST64 (1).exe[1096] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Windows\SYSTEM32\notepad.exe[2448] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Windows\SYSTEM32\notepad.exe[2448] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Windows\SYSTEM32\notepad.exe[2448] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Windows\SYSTEM32\notepad.exe[2448] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce .text C:\Windows\SYSTEM32\notepad.exe[7944] C:\Windows\system32\KERNEL32.DLL!LoadLibraryW 00007ff9d01c17e0 5 bytes JMP 00007ff9d01a0f8e .text C:\Windows\SYSTEM32\notepad.exe[7944] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExW 00007ff9d01c2aa0 5 bytes JMP 00007ff9d01a0f0e .text C:\Windows\SYSTEM32\notepad.exe[7944] C:\Windows\system32\KERNEL32.DLL!LoadLibraryExA 00007ff9d01c2ac0 5 bytes JMP 00007ff9d01a0f4e .text C:\Windows\SYSTEM32\notepad.exe[7944] C:\Windows\system32\KERNEL32.DLL!LoadLibraryA 00007ff9d01c4960 5 bytes JMP 00007ff9d01a0fce ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [652:756] fffff960008ae2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x4A 0xBA 0xDF 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x01 0xCB 0x95 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x4A 0xBA 0xDF 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x01 0xCB 0x95 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 98 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\BNQ7F31B6F02054SL0_19_07DF_D4^87A598D3E45146BF4530C140AA0DB6A9@Timestamp 0x56 0xDB 0xD6 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 700 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -178028385 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 4b74b388-297f-4b62-945d-8f96ef9 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{2b265b63-b59b-4bf7-9b06-9f6575ea360a} Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{1c679340-154c-4326-b242-67e373ea555a}@LastProbeTime 1481277055 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4281 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1895 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 94 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C1C03D0-E553-4368-B42E-2C5E502DA7D2}@LeaseObtainedTime 1481274357 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C1C03D0-E553-4368-B42E-2C5E502DA7D2}@T1 1481274657 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C1C03D0-E553-4368-B42E-2C5E502DA7D2}@T2 1481274882 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9C1C03D0-E553-4368-B42E-2C5E502DA7D2}@LeaseTerminatesTime 1481274957 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 196 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\iexplore@Count 22 ---- EOF - GMER 2.2 ----