GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-12 22:17:46 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000029 Samsung_SSD_850_EVO_250GB rev.EMT01B6Q 232,89GB Running: 42v9ilie.exe; Driver: C:\Users\Bonzo\AppData\Local\Temp\uxldqpoc.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffdd2465230 5 bytes JMP 00007ffd525a0450 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffdd24652d0 5 bytes JMP 00007ffd525a0440 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffdd2465590 5 bytes JMP 00007ffd525a0360 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffdd2465630 5 bytes JMP 00007ffd525a0460 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffdd2465650 5 bytes JMP 00007ffd525a03d0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffdd24657b0 5 bytes JMP 00007ffd525a0310 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffdd2465810 1 byte JMP 00007ffd525a03a0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffdd2465812 3 bytes {JMP 0xffffffff8013ab90} .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffdd2465850 5 bytes JMP 00007ffd525a0380 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffdd24658d0 5 bytes JMP 00007ffd525a02d0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffdd24659d0 5 bytes JMP 00007ffd525a02c0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffdd2465a10 5 bytes JMP 00007ffd525a0300 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffdd2465a90 5 bytes JMP 00007ffd525a03b0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffdd2465b30 5 bytes JMP 00007ffd525a03e0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffdd2465dc0 5 bytes JMP 00007ffd525a0220 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffdd24661c0 5 bytes JMP 00007ffd525a0470 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffdd2466220 5 bytes JMP 00007ffd525a0390 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffdd24664a0 5 bytes JMP 00007ffd525a02e0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffdd24664e0 5 bytes JMP 00007ffd525a0340 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffdd24665c0 5 bytes JMP 00007ffd525a0280 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffdd2466700 5 bytes JMP 00007ffd525a02a0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffdd2466740 5 bytes JMP 00007ffd525a03c0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffdd2466760 5 bytes JMP 00007ffd525a0320 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffdd24668c0 5 bytes JMP 00007ffd525a0400 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffdd2466920 5 bytes JMP 00007ffd525a0230 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffdd2466fa0 5 bytes JMP 00007ffd525a01d0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffdd2467160 5 bytes JMP 00007ffd525a0240 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffdd24671c0 5 bytes JMP 00007ffd525a0480 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffdd24671e0 5 bytes JMP 00007ffd525a0490 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffdd2467240 5 bytes JMP 00007ffd525a02f0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffdd2467260 5 bytes JMP 00007ffd525a0350 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffdd2467320 5 bytes JMP 00007ffd525a0290 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffdd24673e0 5 bytes JMP 00007ffd525a02b0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffdd2467440 5 bytes JMP 00007ffd525a0370 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffdd2467460 5 bytes JMP 00007ffd525a0330 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffdd2467a80 5 bytes JMP 00007ffd525a0430 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffdd2467ea0 5 bytes JMP 00007ffd525a0250 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffdd2467ec0 5 bytes JMP 00007ffd525a0260 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffdd2467f00 5 bytes JMP 00007ffd525a03f0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffdd24682e0 5 bytes JMP 00007ffd525a01e0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffdd2468300 5 bytes JMP 00007ffd525a0200 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffdd2468420 5 bytes JMP 00007ffd525a01f0 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffdd2468500 5 bytes JMP 00007ffd525a0410 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffdd2468520 5 bytes JMP 00007ffd525a0420 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffdd2468540 5 bytes JMP 00007ffd525a0210 .text C:\WINDOWS\system32\svchost.exe[1408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffdd2468760 5 bytes JMP 00007ffd525a0270 ? C:\WINDOWS\system32\apphelp.dll [2288] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2288] entry point in ".rdata" section 000000007279cb70 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [4296] entry point in ".rdata" section 000000006f838fa0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffdd2465230 5 bytes JMP 00007ffd525a0450 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffdd24652d0 5 bytes JMP 00007ffd525a0440 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffdd2465590 5 bytes JMP 00007ffd525a0360 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffdd2465630 5 bytes JMP 00007ffd525a0460 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffdd2465650 5 bytes JMP 00007ffd525a03d0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffdd24657b0 5 bytes JMP 00007ffd525a0310 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffdd2465810 1 byte JMP 00007ffd525a03a0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffdd2465812 3 bytes {JMP 0xffffffff8013ab90} .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffdd2465850 5 bytes JMP 00007ffd525a0380 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffdd24658d0 5 bytes JMP 00007ffd525a02d0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffdd24659d0 5 bytes JMP 00007ffd525a02c0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffdd2465a10 5 bytes JMP 00007ffd525a0300 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffdd2465a90 5 bytes JMP 00007ffd525a03b0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffdd2465b30 5 bytes JMP 00007ffd525a03e0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffdd2465dc0 5 bytes JMP 00007ffd525a0220 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffdd24661c0 5 bytes JMP 00007ffd525a0470 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffdd2466220 5 bytes JMP 00007ffd525a0390 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffdd24664a0 5 bytes JMP 00007ffd525a02e0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffdd24664e0 5 bytes JMP 00007ffd525a0340 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffdd24665c0 5 bytes JMP 00007ffd525a0280 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffdd2466700 5 bytes JMP 00007ffd525a02a0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffdd2466740 5 bytes JMP 00007ffd525a03c0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffdd2466760 5 bytes JMP 00007ffd525a0320 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffdd24668c0 5 bytes JMP 00007ffd525a0400 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffdd2466920 5 bytes JMP 00007ffd525a0230 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffdd2466fa0 5 bytes JMP 00007ffd525a01d0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffdd2467160 5 bytes JMP 00007ffd525a0240 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffdd24671c0 5 bytes JMP 00007ffd525a0480 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffdd24671e0 5 bytes JMP 00007ffd525a0490 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffdd2467240 5 bytes JMP 00007ffd525a02f0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffdd2467260 5 bytes JMP 00007ffd525a0350 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffdd2467320 5 bytes JMP 00007ffd525a0290 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffdd24673e0 5 bytes JMP 00007ffd525a02b0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffdd2467440 5 bytes JMP 00007ffd525a0370 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffdd2467460 5 bytes JMP 00007ffd525a0330 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffdd2467a80 5 bytes JMP 00007ffd525a0430 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffdd2467ea0 5 bytes JMP 00007ffd525a0250 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffdd2467ec0 5 bytes JMP 00007ffd525a0260 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffdd2467f00 5 bytes JMP 00007ffd525a03f0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffdd24682e0 5 bytes JMP 00007ffd525a01e0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffdd2468300 5 bytes JMP 00007ffd525a0200 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffdd2468420 5 bytes JMP 00007ffd525a01f0 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffdd2468500 5 bytes JMP 00007ffd525a0410 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffdd2468520 5 bytes JMP 00007ffd525a0420 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffdd2468540 5 bytes JMP 00007ffd525a0210 .text C:\WINDOWS\system32\AUDIODG.EXE[4108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffdd2468760 5 bytes JMP 00007ffd525a0270 ? C:\WINDOWS\system32\apphelp.dll [4364] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\mssprxy.dll [4364] entry point in ".rdata" section 000000006f4aa4e0 ? C:\Windows\SYSTEM32\iertutil.dll [4364] entry point in ".rdata" section 000000007279cb70 ? C:\WINDOWS\system32\apphelp.dll [5228] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [2236] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [2736] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [6236] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [3088] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [1368] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [968] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [968] entry point in ".rdata" section 000000006fbebb10 ? C:\WINDOWS\system32\apphelp.dll [612] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [6044] entry point in ".rdata" section 0000000070e30380 ? C:\Windows\SYSTEM32\iertutil.dll [4656] entry point in ".rdata" section 000000007279cb70 ? C:\WINDOWS\system32\apphelp.dll [4656] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [1564] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4200] entry point in ".rdata" section 000000007279cb70 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [4200] entry point in ".rdata" section 000000006f838fa0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [4200] entry point in ".rdata" section 00000000610fbd10 ? C:\WINDOWS\system32\apphelp.dll [4032] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [4880] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [492] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [6092] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\system32\apphelp.dll [200] entry point in ".rdata" section 0000000070e30380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5440] entry point in ".rdata" section 000000007279cb70 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5440] entry point in ".rdata" section 000000006fbebb10 ? C:\WINDOWS\system32\apphelp.dll [4732] entry point in ".rdata" section 0000000070e30380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [5040:3152] fffff9608d3d4060 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\BNQ78C587D00907SL0_1D_07DD_84^DBEEC4324AF7376002CA4B4D6BCBEFE5@Timestamp 0x16 0xDD 0x39 0xE5 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -869116113 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 11755 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 19488 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 608 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 553 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 12365 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeLibraryInitTime 100 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 434 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 12483 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 238 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 175 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 12919 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 13002 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 16842 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 12988 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 19474 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 3945 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 67 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 7618 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 2944 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeSharedBufferTime 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 2153 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 66 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 297073 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0xA3 0xD2 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 18064 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0xF6 0x21 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCompressRate 66 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 160 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 189 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@MaxHuffRatio 83 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumTime 106 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumIoTime 10 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumTime 247 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumIoTime 20 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 1462 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 263 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 3869 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x89 0x8F 0xF1 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556eabd66 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\fc-94-e3-91-82-4e@ClientLocalPort 61623 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\fc-94-e3-91-82-4e@AddressCreationTimestamp 0xFC 0x4F 0x45 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\fc-94-e3-91-82-4e@TeredoAddress 2001:0:9d38:6abd:204c:f48:a831:2efc Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4@DisplayName MessagingService_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_c9aef4@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_c9aef4@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_c9aef4@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_c9aef4@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_c9aef4@DisplayName Sync Host_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_c9aef4@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_c9aef4\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_c9aef4\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_c9aef4@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_c9aef4@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_c9aef4@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_c9aef4@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_c9aef4@DisplayName Contact Data_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_c9aef4@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_c9aef4\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_c9aef4\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3304 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 942 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1026 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{338ac28c-fe32-4289-80ed-b09a031e4b39}@LeaseObtainedTime 1463075715 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{338ac28c-fe32-4289-80ed-b09a031e4b39}@T1 1463378115 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{338ac28c-fe32-4289-80ed-b09a031e4b39}@T2 1463604915 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{338ac28c-fe32-4289-80ed-b09a031e4b39}@LeaseTerminatesTime 1463680515 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_c9aef4@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_c9aef4@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_c9aef4@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_c9aef4@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_c9aef4@DisplayName User Data Storage_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_c9aef4@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_c9aef4\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_c9aef4\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_c9aef4@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_c9aef4@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_c9aef4@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_c9aef4@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_c9aef4@DisplayName User Data Access_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_c9aef4@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_c9aef4\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_c9aef4\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_c9aef4 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x61 0xEE 0x05 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x61 0x56 0xCA 0xE5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x61 0x86 0x41 0x22 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xE8 0xFE 0x58 0x01 ... ---- Files - GMER 2.2 ---- File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002ed9 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002943 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002944 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002945 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002946 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002947 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002d0b 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002d47 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002e27 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002e3a 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002e88 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002e89 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002e8a 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002e8b 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002e8d 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002e8e 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002e8f 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002e99 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Cache\f_002eaa 0 bytes File C:\Users\Bonzo\AppData\Local\Google\Chrome\User Data\Default\Session Storage\001150.log 0 bytes ---- EOF - GMER 2.2 ----