GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-16 22:08:38 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b WDC_WD5000BEVT-22A0RT0 rev.01.01A01 465,76GB Running: 325pq9hi.exe; Driver: C:\Users\PAWE~1\AppData\Local\Temp\kfadipob.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\Explorer.EXE[3724] C:\WINDOWS\system32\KERNEL32.DLL!CreateProcessW 00007ffccbf03b00 6 bytes {JMP QWORD [RIP+0x4ec530]} ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6124] entry point in ".rdata" section 000000006bfabb10 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2348] entry point in ".rdata" section 000000006af6ca20 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2348] entry point in ".rdata" section 000000006c358fa0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [2348] entry point in ".rdata" section 00000000705abc40 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5880] entry point in ".rdata" section 000000006bfabb10 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6068] entry point in ".rdata" section 000000006c358fa0 ? C:\WINDOWS\system32\apphelp.dll [7144] entry point in ".rdata" section 000000006a760380 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\svchost.exe[1104] @ C:\WINDOWS\system32\bitsigd.dll[msvcrt.dll!malloc] [0] IAT C:\WINDOWS\system32\svchost.exe[1104] @ C:\WINDOWS\system32\bitsigd.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\WINDOWS\system32\svchost.exe[1104] @ C:\WINDOWS\system32\bitsigd.dll[ntdll.dll!EtwEventEnabled] [0] IAT C:\WINDOWS\system32\svchost.exe[1104] @ C:\WINDOWS\system32\bitsigd.dll[ntdll.dll!EtwGetTraceEnableLevel] [0] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [728:896] fffff9604ddf4060 Thread C:\WINDOWS\SysWOW64\svchost.exe [2308:2740] 000000000470151b Thread C:\WINDOWS\SysWOW64\svchost.exe [2308:2816] 00000000047363d2 Thread C:\WINDOWS\SysWOW64\svchost.exe [2308:2840] 00000000047363d2 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xD2 0x23 0x5B 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x76 0xCA 0xF5 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x03 0x0E 0x67 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xA1 0x2C 0xF8 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 440 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO22EC0_00_07DB_72^E47274AA5D50EF66693D6EE7DBA64283@Timestamp 0x1D 0xC2 0xD2 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 860 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\PAWE~1\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\PAWE~1\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\PAWE~1\AppData\Local\Temp\nshC0F0.tmp\??\??\C:\Users\PAWE~1\AppData\Local\Temp\nshC0F0.tmp\Lang\ENU.dll??\??\C:\Users\PAWE~1\AppData\Local\Temp\nshC0F0.tmp\Lang\PLK.dll?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 152932198 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -615422584 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 448 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 502005797 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 7010 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 3fa84149-cea7-4581-b13c-965f96f Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettings@LastLSMInstanceID 3fa84149-cea7-4581-b13c-965f96f Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Bfilter@RunningTime 0xDD 0x26 0x4F 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Bfmon@RunningTime 0x65 0xB0 0x58 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Bnbase@RunningTime 0x0D 0xF1 0xF9 0xE4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Bndef@RunningTime 0x42 0x07 0x6E 0xE5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Bprotect@RunningTime 0x15 0x74 0x7C 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{22bb394a-8a23-4354-969d-059c326e8d5c}@LastProbeTime 1492368429 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?niedz.?, ?kwi ?16 ?17, 06:57:33 PM???????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 15623 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 15901 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 439 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 755 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ccde6c41-a9e1-4fa3-ba08-8ff2dae2174c}@LeaseObtainedTime 1492367228 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ccde6c41-a9e1-4fa3-ba08-8ff2dae2174c}@T1 1492410428 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ccde6c41-a9e1-4fa3-ba08-8ff2dae2174c}@T2 1492442828 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ccde6c41-a9e1-4fa3-ba08-8ff2dae2174c}@LeaseTerminatesTime 1492453628 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x1B 0x49 0x23 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x1B 0xB1 0xE7 0x63 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x1B 0xE1 0x5E 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x08 0x28 0x63 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@RwMask 0x64 0x62 0x03 0x00 ... ---- EOF - GMER 2.2 ----