GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-21 17:59:56 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1ER162 rev.CC45 931,51GB Running: p7i3e1ko.exe; Driver: C:\Users\Forma\AppData\Local\Temp\ugloypoc.sys ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5712:4384] 000007fefb882ad8 Thread [2464:5040] 00000000773ba280 Thread [2464:1252] 00000000773bf6f0 Thread [2464:4184] 000007fefd66fb40 Thread [2464:5740] 00000000773bf6f0 Thread [2464:1208] 00000000773bf6f0 ---- Processes - GMER 2.2 ---- Library C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 0000000000400000 Library C:\Users\Forma\AppData\Local\Temp\{645BD078-AB72-4FF7-B92A-7DCE2CA39C56}\{08FA2725-7619-44DF-BBE1-39A533A86652}.tmp (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 0000000069a80000 Library C:\Users\Forma\AppData\Local\Temp\{645BD078-AB72-4FF7-B92A-7DCE2CA39C56}\{BE53C3C2-4955-4879-9A51-F18EE3083288}.tmp (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 0000000071d10000 Library C:\Users\Forma\AppData\Local\Temp\{645BD078-AB72-4FF7-B92A-7DCE2CA39C56}\{4C3535BB-D3F1-442C-A621-40A99710AA8A}.tmp (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 00000000699d0000 Library C:\Users\Forma\AppData\Local\Temp\{645BD078-AB72-4FF7-B92A-7DCE2CA39C56}\{FE021531-18AA-41E4-8F83-DBCC0086F41D}.tmp (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 000000006a000000 Library C:\Users\Forma\AppData\Local\Temp\{645BD078-AB72-4FF7-B92A-7DCE2CA39C56}\{71DDD230-26AD-4FF9-8970-4D1963F8C788}.tmp (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 0000000069930000 Library C:\Users\Forma\AppData\Local\Temp\{645BD078-AB72-4FF7-B92A-7DCE2CA39C56}\{6CAD8EC4-85AF-4920-BEE0-8B79E067E1EC}.tmp (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 00000000698d0000 Library C:\Users\Forma\AppData\Local\Temp\{645BD078-AB72-4FF7-B92A-7DCE2CA39C56}\{688A0351-1110-4922-9CB5-F4D1CE27FA34}.tmp (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 000000006bcf0000 Library C:\Users\Forma\AppData\Local\Temp\{645BD078-AB72-4FF7-B92A-7DCE2CA39C56}\{C0C63219-C6A1-4269-9CF9-3552354CDAE2}.tmp (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 0000000069820000 Library C:\Users\Forma\AppData\Local\Temp\{645BD078-AB72-4FF7-B92A-7DCE2CA39C56}\{45A44B15-98C0-46AB-B6FA-B57F8B93F770}.tmp (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 0000000069740000 Library C:\Users\Forma\AppData\Local\Temp\{645BD078-AB72-4FF7-B92A-7DCE2CA39C56}\{E7C92D95-AA58-48C5-BBA7-F382CC49A582}.tmp (*** suspicious ***) @ C:\Users\Forma\AppData\Local\Temp\{B547B4C4-A7CB-4401-A599-D5F434763C18}\{4666BCE8-BC68-42A5-A022-82BB2E787F9F}.exe [5404] 00000000696f0000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EAFCDED9-8053-49A1-9846-93808342EB89}@LeaseObtainedTime 1490111193 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EAFCDED9-8053-49A1-9846-93808342EB89}@T1 1490111320 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EAFCDED9-8053-49A1-9846-93808342EB89}@T2 1490111416 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{EAFCDED9-8053-49A1-9846-93808342EB89}@LeaseTerminatesTime 1490111448 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@\0\xad\xa4\1 1