GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-17 08:46:06 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 Hitachi_HTS545050A7E380 rev.GG2OA6C0 465,76GB Running: jv3wugfz.exe; Driver: C:\Users\WITOL_~1\AppData\Local\Temp\pflyrfob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [6316] entry point in ".rdata" section 000000006d29f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6316] entry point in ".rdata" section 00000000716e1590 ? C:\WINDOWS\SYSTEM32\atlthunk.dll [6316] entry point in ".data" section 000000006e3e4290 ? C:\WINDOWS\system32\mssprxy.dll [6316] entry point in ".rdata" section 0000000058eaa650 ? C:\Windows\System32\smartscreenps.dll [6316] entry point in ".rdata" section 000000005ad358a0 ? C:\WINDOWS\system32\apphelp.dll [4140] entry point in ".rdata" section 000000006d29f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4140] entry point in ".rdata" section 00000000716e1590 ? C:\WINDOWS\system32\apphelp.dll [4232] entry point in ".rdata" section 000000006d29f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4232] entry point in ".rdata" section 00000000716e1590 ? C:\WINDOWS\system32\apphelp.dll [3236] entry point in ".rdata" section 000000006d29f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\svchost.exe [948:580] 00007ff843cef950 Thread C:\WINDOWS\system32\svchost.exe [948:608] 00007ff843ceed20 Thread C:\WINDOWS\system32\svchost.exe [948:588] 00007ff843ae8ae0 Thread C:\WINDOWS\system32\svchost.exe [624:2920] 00007ff837f61a50 Thread C:\WINDOWS\system32\svchost.exe [624:2224] 00007ff8389141f0 Thread C:\WINDOWS\system32\svchost.exe [624:3248] 00007ff8369f0ed0 Thread C:\WINDOWS\system32\svchost.exe [624:3256] 00007ff8369e4fc0 Thread C:\WINDOWS\system32\svchost.exe [624:3268] 00007ff837356380 Thread C:\WINDOWS\system32\svchost.exe [624:3272] 00007ff8369278e0 Thread C:\WINDOWS\system32\svchost.exe [624:3320] 00007ff83738c8c0 Thread C:\WINDOWS\system32\svchost.exe [624:3324] 00007ff837390bf0 Thread C:\WINDOWS\system32\svchost.exe [624:3156] 00007ff83f4c1040 Thread C:\WINDOWS\system32\svchost.exe [624:4296] 00007ff8360948e0 Thread C:\WINDOWS\system32\svchost.exe [624:5436] 00007ff8360948e0 Thread C:\WINDOWS\system32\svchost.exe [624:224] 00007ff83dd530f0 Thread C:\WINDOWS\system32\svchost.exe [624:2080] 00007ff8389141f0 Thread C:\WINDOWS\System32\svchost.exe [1156:1920] 00007ff83e313a40 Thread C:\WINDOWS\System32\svchost.exe [1156:2056] 00007ff83d143520 Thread C:\WINDOWS\System32\svchost.exe [1156:2580] 00007ff838ed2af0 Thread C:\WINDOWS\System32\svchost.exe [1156:2584] 00007ff838ed2a40 Thread C:\WINDOWS\System32\svchost.exe [1156:4864] 00007ff838ec5c80 Thread C:\WINDOWS\System32\svchost.exe [1156:6448] 00007ff83638dbe0 Thread C:\WINDOWS\System32\svchost.exe [1156:7812] 00007ff83638dbe0 Thread C:\WINDOWS\System32\svchost.exe [1156:1724] 00007ff83638dbe0 Thread C:\WINDOWS\System32\svchost.exe [1156:8040] 00007ff838ecfdf0 Thread C:\WINDOWS\system32\svchost.exe [1384:3584] 00007ff842531240 Thread C:\WINDOWS\system32\svchost.exe [1384:3588] 00007ff835eda3b0 Thread C:\WINDOWS\system32\svchost.exe [1384:3604] 00007ff8424925e0 Thread C:\WINDOWS\system32\svchost.exe [1384:4372] 00007ff841e73bc0 Thread C:\WINDOWS\system32\svchost.exe [1384:7200] 00007ff841e72080 Thread C:\WINDOWS\system32\svchost.exe [1392:3080] 00007ff8373199e0 Thread C:\WINDOWS\system32\svchost.exe [1392:3084] 00007ff83e332cf0 Thread C:\WINDOWS\System32\svchost.exe [1400:5684] 00007ff83ea0a880 Thread C:\WINDOWS\System32\svchost.exe [1400:5408] 00007ff83ea038e0 Thread C:\WINDOWS\System32\svchost.exe [1400:4376] 00007ff83b269040 Thread C:\WINDOWS\System32\svchost.exe [1400:4312] 00007ff8373199e0 Thread C:\WINDOWS\System32\svchost.exe [1400:6352] 00007ff83e332cf0 Thread C:\WINDOWS\System32\svchost.exe [1400:1464] 00007ff837515bc0 Thread C:\WINDOWS\system32\svchost.exe [1840:3220] 00007ff8371c5bd0 Thread C:\WINDOWS\system32\svchost.exe [1840:3228] 00007ff8371c9b20 Thread C:\WINDOWS\system32\svchost.exe [1848:1808] 00007ff83638dbe0 Thread C:\WINDOWS\system32\svchost.exe [1848:4356] 00007ff83638dbe0 Thread C:\WINDOWS\system32\svchost.exe [1968:2696] 00007ff838c044b0 Thread C:\WINDOWS\system32\svchost.exe [1968:3192] 00007ff8445f6750 Thread C:\WINDOWS\System32\spoolsv.exe [1772:2528] 00007ff837515bc0 Thread C:\WINDOWS\System32\spoolsv.exe [1772:1368] 00007ff8374f2740 Thread C:\WINDOWS\System32\spoolsv.exe [1772:1988] 00007ff835171180 Thread C:\WINDOWS\System32\spoolsv.exe [1772:3296] 00007ff835248e40 Thread [2468:2864] 0000000074fa7ea0 Thread [2468:4044] 00000000772a6140 Thread C:\WINDOWS\system32\wbem\wmiprvse.exe [4708:7900] 00007ff841dbbe70 Thread C:\WINDOWS\system32\wbem\wmiprvse.exe [4708:5592] 00007ff843771e90 Thread C:\WINDOWS\Explorer.EXE [3020:4336] 00007ff83f6ebb70 Thread C:\WINDOWS\Explorer.EXE [3020:184] 00007ff843971ba0 Thread C:\WINDOWS\Explorer.EXE [3020:8128] 00007ff8393a5110 Thread C:\WINDOWS\Explorer.EXE [3020:4892] 00007ff82e7936f0 Thread C:\WINDOWS\Explorer.EXE [3020:6828] 00007ff8285fffd0 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:3548] 000000006ff66aec Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:5012] 000000006ff66aec Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:7928] 0000000073092600 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:7904] 00000000714e24d9 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:4616] 00000000714e24d9 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:2380] 00000000714e24d9 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:5936] 00000000714e24d9 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:2772] 000000006fbcf5c9 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:3652] 000000006fbcf5c9 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:5340] 000000006fbcf5c9 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:1616] 000000006fa9b453 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:7536] 000000006fa9b453 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:1140] 000000006fa9b453 Thread C:\Users\Witol_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2116:7356] 000000005ea1c1d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [4232:5868] 00000000009e5de7 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes@ActivePowerScheme df011ed9-9131-49b9-8090-46963cfb65ce Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1560152562 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\6c71d91dcca0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 7362 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{453fe364-0346-4135-9189-6fcf82ea2fdb}@LeaseObtainedTime 1479334800 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{453fe364-0346-4135-9189-6fcf82ea2fdb}@T1 1479336600 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{453fe364-0346-4135-9189-6fcf82ea2fdb}@T2 1479337950 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{453fe364-0346-4135-9189-6fcf82ea2fdb}@LeaseTerminatesTime 1479338400 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x08 0xBB 0x9C 0x20 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x08 0x23 0x61 0x82 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x08 0x53 0xD8 0xBE ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xF5 0x66 0x13 0xAE ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xF5 0x66 0x13 0xAE ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 98 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xF5 0x66 0x13 0xAE ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 98 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xF5 0x66 0x13 0xAE ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{D842713D-4C19-4010-BF24-69E723BDD53D}@LastAccessedTime 0xF0 0xB5 0xC4 0xB7 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{D842713D-4C19-4010-BF24-69E723BDD53D}@LaunchCount 14 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe-0@IsLocalReplicaDirty 0 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\Activity.qml 31147 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\adal.dll 784064 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\af 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\af\FileSync.LocalizedResources.dll.mui 115392 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\am-et 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\am-et\FileSync.LocalizedResources.dll.mui 87744 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\amd64 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\amd64\ClientTelemetry.dll 1864384 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\amd64\FileCoAuthLib64.dll 31936 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\amd64\FileSyncApi64.dll 335552 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\amd64\FileSyncShell64.dll 1802432 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\amd64\LoggingPlatform64.dll 177856 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\amd64\msvcp120.dll 660128 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\amd64\msvcr120.dll 963232 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\amd64\Telemetry64.dll 398024 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\ar 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\ar\FileSync.LocalizedResources.dll.mui 102592 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\as-in 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\as-in\FileSync.LocalizedResources.dll.mui 117440 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\AutoPlayOptIn.gif 383222 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\AutoPlayOptIn.png 10226 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\az-latn-az 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\az-latn-az\FileSync.LocalizedResources.dll.mui 116424 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\be 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\be\FileSync.LocalizedResources.dll.mui 113856 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\bg 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\bg\FileSync.LocalizedResources.dll.mui 120000 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\bn-bd 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\bn-bd\FileSync.LocalizedResources.dll.mui 117440 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\bn-in 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\bn-in\FileSync.LocalizedResources.dll.mui 116928 bytes executable File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\bs-latn-ba 0 bytes File C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9e372c89#\f9b68f566e67cb9de9dfe1a7eacb7536\bs-latn-ba\FileSync.LocalizedResources.dll.mui 118976 bytes executable ADS C:\Windows\System32\drivers:ucdrv-x64.sys 40424 bytes executable ADS C:\Windows\System32\drivers:x64 721072 bytes executable ADS C:\Windows\System32\drivers:x86 578224 bytes executable ---- EOF - GMER 2.2 ----