GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-28 21:43:00 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000026 ST1000LM014-SSHD-8GB rev.LVD6 931,51GB Running: 7o3jzk25.exe; Driver: C:\Users\gryzu\AppData\Local\Temp\fwgyrpod.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [704:3772] ffffbfcd3d136c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE3 0x42 0xF7 0x18 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xDA 0x4B 0xBF 0x9A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 10 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO38ED0_2B_07DE_B0^74182D1226445B9EAF5EDEE8370FC48B@Timestamp 0xDA 0xEB 0x3E 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 856 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\WINDOWS\system32\DRIVERS\CLVirtualDrive.sys?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 1093410 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -943719151 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 10 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 487667645 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 5488 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 5488 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 91008424-dcec-46e7-b7cc-44bd85b Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS543056d5-57b1-464c-8731-2122b3ab2731 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\2c6e8586db6f Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{f64fcfdd-a670-47f8-95fb-ef919033340b}@LastProbeTime 1477686265 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{ABA65BAB-A9CD-461C-BB9E-C5E97B0053C4}@InterfaceName Reusable ISATAP Interface {ABA65BAB-A9CD-461C-BB9E-C5E97B0053C4} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{ABA65BAB-A9CD-461C-BB9E-C5E97B0053C4}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@LastTrustedInstallerBootCached 0x7B 0x4B 0xA4 0x9A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?pt.?, ?pa? ?28 ?16, 08:48:16 PM??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 393 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1882 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 509 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 9 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 2629 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{145dc415-25e3-4bfc-a1c6-05beba29193a}@LeaseObtainedTime 1477679064 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{145dc415-25e3-4bfc-a1c6-05beba29193a}@T1 1477722264 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{145dc415-25e3-4bfc-a1c6-05beba29193a}@T2 1477754664 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{145dc415-25e3-4bfc-a1c6-05beba29193a}@LeaseTerminatesTime 1477765464 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA9 0xA4 0x42 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA9 0x0C 0x07 0x65 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA9 0x3C 0x7E 0xA1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 11092 11098 11110 11120 11130 11150 11194 11204 11242 11248 11264 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 11270 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 11271 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 11092 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 11093 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@LastAccessed 0x2F 0x83 0xC8 0xD6 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@AccelerateCacheRefreshLastDetected 0x1E 0xDA 0xA0 0xD5 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@AccelerateCacheRefreshLastHandled 0xA2 0x8A 0xB1 0xD5 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@LastAccessed 0x5C 0xE4 0x8C 0xD6 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@AccelerateCacheRefreshLastDetected 0x7E 0x78 0x9E 0xD5 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@AccelerateCacheRefreshLastHandled 0x0C 0x14 0xBB 0xD5 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x7D 0xFB 0x28 0x98 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x7D 0xFB 0x28 0x98 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x7D 0xFB 0x28 0x98 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x7D 0xFB 0x28 0x98 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\WinRoamErrors@LastErrorLevel 1 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{16B47870-B4E3-4775-8FE4-BCCA33C323B6} 0 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2904D669-F5BE-4073-8952-C8CE020DA96E} 9894 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F95AEF3E-2D17-4202-8DF0-035F10C6B732} 0 bytes File C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{C3D51BA4-A8EA-4C08-B204-6FBB30946F22} 0 bytes File C:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-09302016-213112-00000003-ffffffff.bin 0 bytes File C:\Users\gryzu\AppData\Local\Google\Chrome\User Data\Profile 2\Cache\f_01681f 0 bytes File C:\Users\gryzu\AppData\Local\Google\Chrome\User Data\Profile 2\Extension State\004110.log 0 bytes File C:\Users\gryzu\AppData\Local\Microsoft\OneDrive\logs\Personal\SyncEngine-2016-10-28.1858.6176.3.aodl 1048619 bytes File C:\Users\gryzu\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb0018A.log 524288 bytes File C:\Users\gryzu\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb0018B.log 524288 bytes File C:\Users\gryzu\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb0018C.log 524288 bytes File C:\Users\gryzu\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1\edb00075.log 524288 bytes File C:\Users\gryzu\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1\edb00076.log 524288 bytes File C:\Users\gryzu\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131221526665363833.txt 0 bytes File C:\Users\gryzu\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131221539625798151.txt 0 bytes File C:\Users\gryzu\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131221540030097974.txt 0 bytes File C:\Users\gryzu\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131221544188508360.txt 0 bytes File C:\Users\gryzu\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\INetCookies\2V2J0YG5.cookie 0 bytes ---- EOF - GMER 2.2 ----