GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-31 14:18:10 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000022 WDC_WD5000LPCX-24C6HT0 rev.02.01A02 465,76GB Running: i6753n0l.exe; Driver: C:\Users\Mariusz\AppData\Local\Temp\fxlyrpog.sys ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5628] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8c10b1ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5116] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5812] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5812] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8c10b1ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5772] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5772] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8c10b1ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ff8f6aa002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff8f6c4002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [7ff8f6aa002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ff8f6aa002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ff8f6aa002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8c10b1ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff8f6c4006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6200] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff8f6aa002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6176] @ C:\WINDOWS\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff8c10b1ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [584:5956] fffff960009552d0 Thread C:\WINDOWS\Explorer.EXE [2912:1336] 00007ff8ca9c1fe0 Thread C:\WINDOWS\Explorer.EXE [2912:3636] 00007ff8df519970 Thread C:\WINDOWS\system32\rundll32.exe [4524:5292] 00007ff8d67a52f0 Thread C:\Windows\System32\WWAHost.exe [2140:168] 00007ff8f4e11df0 Thread C:\Windows\System32\WWAHost.exe [2140:4944] 00007ff8edeabf10 Thread C:\Windows\System32\WWAHost.exe [2140:5124] 00007ff8f7620b70 Thread C:\Windows\System32\WWAHost.exe [2140:3724] 00007ff8bb92bd10 Thread C:\Windows\System32\WWAHost.exe [2140:4192] 00007ff8bb92aa60 Thread C:\Windows\System32\WWAHost.exe [2140:5216] 00007ff8bb9157e0 Thread C:\Windows\System32\WWAHost.exe [2140:2192] 00007ff8bb92aa60 Thread C:\Windows\System32\WWAHost.exe [2140:4972] 00007ff8bb92aa60 Thread C:\Windows\System32\WWAHost.exe [2140:3228] 00007ff8f7620b70 Thread C:\Windows\System32\WWAHost.exe [2140:6064] 00007ff8f7620b70 Thread C:\Windows\System32\WWAHost.exe [2140:1656] 00007ff8bba34b70 Thread C:\Windows\System32\WWAHost.exe [2140:1128] 00007ff8d078b590 Thread C:\Windows\System32\WWAHost.exe [2140:5860] 00007ff8d077f090 Thread C:\Windows\System32\WWAHost.exe [2140:3240] 00007ff8d0776610 Thread C:\Windows\System32\WWAHost.exe [2140:3744] 00007ff8f620a840 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4108] 000000006d2e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4108] 000000006cc50000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4108] 000000006c3d0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4108] 000000006be60000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4108] 000000006a020000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [4108] 000000006e570000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\BOE061D0_01_07DE_E5^39838BE016FD346DD8848B66E5E8B9EE@Timestamp 0x3A 0xE6 0xE3 0xAB ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1657229083 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 5281777 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 5278602 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 5278602 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 5280070 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 1332 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0xCF 0x9B 0x1A 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14741239197342280@SetupOperations ???"?????#?#?#??????????????????????????????????????????????????? ?????????????"???"????? ???????"???????????"???????? ??????????????????????????"??????Reverted?&???"?"?"?"?"?"?"?"?????????????&?????t?#???????????&?????t?????????"??????????????????ve???????"???????????s?????"?????#?$?$?$?$??????????????????????????????????????????????4???????????????? ???????"?????"?????"??????????P?(??????????????????????????"?"?"?"?"?"?"?"?????????????v???v????????????????????????P??"????????h??_??\SystemRoot\system32\drivers\aswSnx.sys?ys??64???????"?????????e????aswSnx?v??????0??"??????p???FSFilter Virtualization??????????"??????????????FltMgr????????L??"???i?????ncr??avast! virtualization driver (aswSnx)???? ???????"?????"?????"?????????? ?????????srce???? ??"???????????e??aswSnx Instance?l\???"?????"???"????? ???????"???????????"???????????????????????e???????"???)??????137600???c???"?"????????????????s:?????"????? ???????"???????????"??????????T??? ??????428??? T??"???6??????rd??\??\C:\Program Files\AVAST Software\Ava Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14741246135152280@SetupOperations ???"?????#?$?$?$?$??????????????????????????????????????????????4???????????????? ???????"?????"?????"??????????P?(??????????????????????????"?"?"?"?"?"?"?"?????????????v???v????????????????????????P??"????????h??_??\SystemRoot\system32\drivers\aswSnx.sys?ys??64???????"?????????e????aswSnx?v??????0??"??????p???FSFilter Virtualization??????????"??????????????FltMgr????????L??"???i?????ncr??avast! virtualization driver (aswSnx)???? ???????"?????"?????"?????????? ?????????srce???? ??"???????????e??aswSnx Instance?l\???"?????"???"????? ???????"???????????"???????????????????????e???????"???)??????137600???c???"?"????????????????s:?????"????? ???????"???????????"??????????T??? ??????428??? T??"???6??????rd??\??\C:\Program Files\AVAST Software\Avast????"?"????? P??"???8?????5-C??\??\C:\ProgramData\AVAST Software\Avast?on??? ???????"?????#?????"??????????N?)?????Pv???????????)???)???"?"?"?" #H#?#?#????????????? ??te???????????g??????om????N??"???\????hogr??\SystemRoot\system32\drivers\aswSP.sys?ys???aswSP????#????? Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\2c337a3b9462 Reg HKLM\SYSTEM\CurrentControlSet\Services\rtop@DisplayName ByteFence Security Real-time Protection Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 6799 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 5443 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1279 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{19AEDA03-169F-4646-8F7F-7B35F24AA281}@LeaseObtainedTime 1485862773 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{19AEDA03-169F-4646-8F7F-7B35F24AA281}@T1 1485905973 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{19AEDA03-169F-4646-8F7F-7B35F24AA281}@T2 1485938373 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{19AEDA03-169F-4646-8F7F-7B35F24AA281}@LeaseTerminatesTime 1485949173 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0xC7 0x0A 0x35 0x8E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xC5 0xDB 0x3C 0x56 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----