GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-30 05:17:59 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 WDC_WD5000LPVX-75V0TT0 rev.01.01A01 465,76GB Running: zulvtccy.exe; Driver: C:\Users\BARTLO~1\AppData\Local\Temp\ufldqpow.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [1324] entry point in ".rdata" section 000000007358d3c0 ? C:\WINDOWS\system32\apphelp.dll [1324] entry point in ".rdata" section 0000000072d70380 ? C:\Windows\SYSTEM32\ActXPrxy.dll [1324] entry point in ".rdata" section 00000000726cbd10 ? C:\WINDOWS\System32\SensorsNativeApi.V2.dll [1324] entry point in ".rdata" section 000000007034f400 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2052] entry point in ".rdata" section 000000007358d3c0 ? C:\WINDOWS\system32\apphelp.dll [2080] entry point in ".rdata" section 0000000072d70380 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2248] entry point in ".rdata" section 000000007003bb10 ? C:\WINDOWS\System32\SensorsNativeApi.V2.dll [3672] entry point in ".rdata" section 000000007034f400 ? C:\Windows\SYSTEM32\ActXPrxy.dll [768] entry point in ".rdata" section 00000000726cbd10 ? C:\Windows\SYSTEM32\iertutil.dll [768] entry point in ".rdata" section 000000007358d3c0 ? C:\Windows\SYSTEM32\iertutil.dll [3868] entry point in ".rdata" section 000000007358d3c0 ? C:\WINDOWS\system32\apphelp.dll [3868] entry point in ".rdata" section 0000000072d70380 ? C:\WINDOWS\system32\apphelp.dll [6984] entry point in ".rdata" section 0000000072d70380 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [7192] entry point in ".rdata" section 000000006b688fa0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7192] entry point in ".rdata" section 000000007003bb10 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7192] entry point in ".rdata" section 000000007358d3c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [7732] entry point in ".rdata" section 000000006b688fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7732] entry point in ".rdata" section 000000007358d3c0 ? C:\WINDOWS\system32\apphelp.dll [7732] entry point in ".rdata" section 0000000072d70380 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7732] entry point in ".rdata" section 000000007003bb10 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [8168] entry point in ".rdata" section 000000006b688fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8168] entry point in ".rdata" section 000000007358d3c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5588] entry point in ".rdata" section 000000006b688fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5588] entry point in ".rdata" section 000000007358d3c0 ? C:\WINDOWS\system32\apphelp.dll [5356] entry point in ".rdata" section 0000000072d70380 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\servicing\CbsApi.dll[RPCRT4.dll!NdrDllGetClassObject] [0] IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\servicing\CbsApi.dll[RPCRT4.dll!NdrDllRegisterProxy] [0] IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\servicing\CbsApi.dll[RPCRT4.dll!CStdStubBuffer_Invoke] [0] IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\servicing\CbsApi.dll[RPCRT4.dll!CStdStubBuffer_Disconnect] [0] IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\servicing\CbsApi.dll[RPCRT4.dll!IUnknown_QueryInterface_Proxy] [0] IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\servicing\CbsApi.dll[RPCRT4.dll!IUnknown_AddRef_Proxy] [0] IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\System32\DMCfgUtils.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\System32\DMCfgUtils.dll[msvcrt.dll!malloc] [0] IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\System32\DMCfgUtils.dll[msvcrt.dll!??1exception@@UEAA@XZ] [0] IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\System32\DMCfgUtils.dll[msvcrt.dll!__CxxFrameHandler3] [0] IAT C:\WINDOWS\system32\svchost.exe[1056] @ C:\WINDOWS\System32\DMCfgUtils.dll[msvcrt.dll!_purecall] [0] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [688:740] fffff960ebf14030 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1168767599 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\4cbb583ed4ca Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\4cbb583ed4ca@2a9f3ab1c888 0xA6 0x42 0x1B 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?sob.?, ?lip ?30 ?16, 03:57:35????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x40 0xB4 0x00 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x40 0x1C 0xC5 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x40 0x4C 0x3C 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x16 0xA2 0x0B 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome? ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----