GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-01 18:08:25 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000035 Crucial_CT250MX200SSD1 rev.MU03 232,89GB Running: io6i32yj.exe; Driver: C:\Users\Lucas\AppData\Local\Temp\pwrdqpoc.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4408] entry point in ".rdata" section 0000000070f5a020 ? C:\WINDOWS\system32\ncryptsslp.dll [4408] entry point in ".rdata" section 00000000717804f0 ? C:\WINDOWS\system32\apphelp.dll [3892] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3892] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\SYSTEM32\atlthunk.dll [3892] entry point in ".data" section 0000000071ba4290 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [3892] entry point in ".rdata" section 0000000070f5a020 ? C:\WINDOWS\system32\ncryptsslp.dll [3892] entry point in ".rdata" section 00000000717804f0 ? C:\WINDOWS\system32\mssprxy.dll [3892] entry point in ".rdata" section 000000006dcfa650 ? C:\WINDOWS\system32\apphelp.dll [3612] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3612] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\system32\apphelp.dll [3068] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3068] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\system32\apphelp.dll [5044] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5044] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\system32\apphelp.dll [844] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [844] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\system32\apphelp.dll [4124] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4124] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\system32\apphelp.dll [7188] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7188] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\system32\apphelp.dll [2720] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2720] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\system32\apphelp.dll [696] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [696] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\system32\apphelp.dll [1540] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [1540] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\system32\apphelp.dll [9088] entry point in ".rdata" section 000000007104f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9088] entry point in ".rdata" section 0000000071e81590 ? C:\WINDOWS\system32\apphelp.dll [7872] entry point in ".rdata" section 000000007104f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [2748:5492] fffff8bba36a6c20 ---- Processes - GMER 2.2 ---- Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\010ca03bc4ce0e90aba17cf53dfaa3b0\System.ServiceProcess.ni.dll (*** suspicious ***) @ C:\Program Files (x86)\Intel\Intel(R) Security Assist\isa.exe [1156] 000000006ce70000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files (x86)\Google\Chrome\Temp\scoped_dir_6124_19573\old_chrome.exe??\??\C:\Program Files (x86)\Google\Chrome\Temp\scoped_dir_6124_19573??\??\C:\Program Files (x86)\Google\Chrome\Temp??\??\C:\WINDOWS\system32\SET9FBE.tmp??\??\C:\WINDOWS\SysWow64\SETA6F4.tmp??\??\C:\Users\Lucas\AppData\Local\Temp\~nsuA.tmp\Au_.exe??\??\C:\Users\Lucas\AppData\Local\Temp\~nsuA.tmp??\??\C:\Users\Lucas\AppData\Local\Temp\INS_c7545e81.TMP??\??\C:\WINDOWS\system32\drivers\SET1DC5.tmp??\??\C:\Users\Lucas\AppData\Local\Temp\INS_17bcae0c.TMP??\??\C:\Users\Lucas\AppData\Local\Temp\INS_7e069c7a.TMP??\??\C:\Users\Lucas\AppData\Local\Temp\INS_f65c4a9d.TMP??\??\C:\Users\Lucas\AppData\Local\Temp\INS_daac4b22.TMP??\??\C:\Users\Lucas\AppData\Local\Temp\INS_8340a7ff.TMP??\??\C:\Users\Lucas\AppData\Local\Temp\INS_de5e894e.TMP??\??\C:\Users\Lucas\AppData\Local\Temp\INS_58572d49.TMP??\??\C:\Users\Lucas\AppData\Local\Temp\INS_97963439.TMP??\??\C:\Users\Lucas\AppData\Local\Temp\INS_b552b331.TMP??\??\C:\Users\Lucas\AppData\Local\Temp\ Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 105870408 Reg HKLM\SYSTEM\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\3@Timestamp 0x71 0x3D 0x58 0x86 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x5E 0x12 0x36 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x5E 0x7A 0xFA 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x5E 0xAA 0x71 0x31 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xD9 0x85 0xD8 0xE8 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome 0xA8 0x70 0xD0 0x58 ... ---- EOF - GMER 2.2 ----