GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-10 19:08:49 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000021 ST310003 rev.SD1A 931,51GB Running: 0wg6impt.exe; Driver: C:\Users\WOJCIE~1\AppData\Local\Temp\fgldyuod.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\SYSTEM32\dbgcore.DLL [1560] entry point in ".rdata" section 000000007053c940 ? C:\Windows\system32\wbem\wbemsvc.dll [1560] entry point in ".rdata" section 0000000070338fc0 ? C:\Windows\SYSTEM32\iertutil.dll [1560] entry point in ".rdata" section 000000006d531590 ? C:\Windows\SYSTEM32\iertutil.dll [6952] entry point in ".rdata" section 000000006d531590 ? C:\Windows\system32\apphelp.dll [6952] entry point in ".rdata" section 000000006bb3f7c0 ? C:\Windows\system32\mssprxy.dll [6952] entry point in ".rdata" section 000000006b9da650 ? C:\Windows\SYSTEM32\iertutil.dll [6992] entry point in ".rdata" section 000000006d531590 ? C:\Windows\SYSTEM32\iertutil.dll [7016] entry point in ".rdata" section 000000006d531590 ? C:\Windows\system32\apphelp.dll [3728] entry point in ".rdata" section 000000006bb3f7c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [628:692] ffffaa5c3a136c20 Thread C:\Windows\system32\csrss.exe [628:700] ffffaa5c3a136c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x63 0xAD 0x19 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x8B 0xF9 0x1D 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x63 0xAD 0x19 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x8B 0xF9 0x1D 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 89 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\HWP2811CZQ83006X1_1E_07D8_77+GSM4B06167082_01_07D7_AA^342FD109F094118846CE6924690ECB76@Timestamp 0x10 0x8E 0x2B 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 700 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2873865 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1737407738 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 94 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 498796488 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 7376 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 01bcc2c6-0ad6-4c8c-ad0a-33cbc7c Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\AmdK8\Parameters\Wdf@TimeOfLastTelemetryLog 0x6F 0xC3 0x02 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS02237a21-301f-4c7f-9a61-6cf0bc8f0efb Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0x3F 0xB6 0x46 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x6F 0xC3 0x02 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{50ce61d7-adbd-4bfc-ab32-69fa621b4607}@LastProbeTime 1489078445 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x3F 0xB6 0x46 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{CCF0DD3E-7A91-4AEF-95F8-1FA71BD8EC6D}@InterfaceName Reusable ISATAP Interface {CCF0DD3E-7A91-4AEF-95F8-1FA71BD8EC6D} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{CCF0DD3E-7A91-4AEF-95F8-1FA71BD8EC6D}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Teredo\{35F166A9-95DA-4DE4-A419-1038E6510395} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Teredo\{35F166A9-95DA-4DE4-A419-1038E6510395}@InterfaceName Teredo Tunneling Pseudo-Interface Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Teredo\{35F166A9-95DA-4DE4-A419-1038E6510395}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Teredo\{35F166A9-95DA-4DE4-A419-1038E6510395}@DeviceInstancePath SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0xF2 0xAE 0xEF 0x36 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog 0xD1 0xDD 0x04 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x98 0x18 0x49 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 24 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?czw.?, ?mar ?09 ?17, 06:22:05 PM?????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4890 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 765 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 87 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c3547b3f-fe86-413b-9973-67e6a5ad864e}@LeaseObtainedTime 1489163184 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c3547b3f-fe86-413b-9973-67e6a5ad864e}@T1 1489206384 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c3547b3f-fe86-413b-9973-67e6a5ad864e}@T2 1489238784 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c3547b3f-fe86-413b-9973-67e6a5ad864e}@LeaseTerminatesTime 1489249584 Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0x6F 0xC3 0x02 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog 0x58 0xF0 0x17 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastTelemetryLog 0x7C 0xC5 0x6A 0x30 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xC3 0xFE 0xD7 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xC3 0x66 0x9C 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xC3 0x96 0x13 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 19198 19204 19214 19224 19244 19288 19298 19336 19342 19358 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 19364 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 19365 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 19198 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 19199 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x5C 0x00 0xC2 0x5D ... ---- EOF - GMER 2.2 ----