GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-06 08:16:54 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 ST500LT012-1DG142 rev.0002LVM1 465,76GB Running: srfc8tzc.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\kgryakob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [2348] entry point in ".rdata" section 0000000072e8f7c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2420] entry point in ".rdata" section 000000006e4a8fc0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2540] entry point in ".rdata" section 000000006e4a8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2836] entry point in ".rdata" section 0000000070f83150 ? C:\WINDOWS\SYSTEM32\wship6.dll [2836] entry point in ".rdata" section 000000006a3b2470 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2860] entry point in ".rdata" section 0000000070f83150 ? C:\WINDOWS\SYSTEM32\wship6.dll [2860] entry point in ".rdata" section 000000006a3b2470 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2888] entry point in ".rdata" section 0000000070f83150 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3196] entry point in ".rdata" section 0000000070f83150 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [6876] entry point in ".rdata" section 000000007366c940 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6876] entry point in ".rdata" section 0000000070f83150 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7548] entry point in ".rdata" section 0000000070f83150 ? C:\WINDOWS\SYSTEM32\wship6.dll [7548] entry point in ".rdata" section 000000006a3b2470 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8136] entry point in ".rdata" section 0000000070f83150 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [3060] entry point in ".rdata" section 000000006e4a8fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3060] entry point in ".rdata" section 0000000070f83150 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [3060] entry point in ".rdata" section 00000000691da020 ? C:\WINDOWS\system32\ncryptsslp.dll [3060] entry point in ".rdata" section 00000000691b04f0 ? C:\WINDOWS\system32\apphelp.dll [7452] entry point in ".rdata" section 0000000072e8f7c0 ? C:\WINDOWS\System32\iertutil.dll [7452] entry point in ".rdata" section 0000000070f83150 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7452] entry point in ".rdata" section 00000000691da020 ? C:\WINDOWS\system32\ncryptsslp.dll [7452] entry point in ".rdata" section 00000000691b04f0 ? C:\WINDOWS\system32\apphelp.dll [5540] entry point in ".rdata" section 0000000072e8f7c0 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [7772] entry point in ".rdata" section 000000007366c940 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [7772] entry point in ".rdata" section 000000006e4a8fc0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7772] entry point in ".rdata" section 00000000691da020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7772] entry point in ".rdata" section 0000000070f83150 ? C:\WINDOWS\system32\apphelp.dll [9052] entry point in ".rdata" section 0000000072e8f7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_ismbblead] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!memset] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_callnewh] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!___lc_handle_func] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!__uncaught_exception] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??0bad_cast@@QEAA@PEBD@Z] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!__pctype_func] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!memcpy] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!iswalpha] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBD@Z] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!iswdigit] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!__CxxFrameHandler3] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??0bad_cast@@QEAA@AEBV0@@Z] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_onexit] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!__dllonexit] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!memmove] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!wcstok_s] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!memmove_s] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!realloc] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_initterm] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_XcptFilter] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!abort] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_purecall] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??1bad_cast@@UEAA@XZ] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!wcschr] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_CxxThrowException] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!___lc_codepage_func] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_unlock] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!sqrt] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!malloc] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!memcmp] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_lock] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!towupper] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!wcsncmp] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!free] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_vsnprintf_s] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!?what@exception@@UEBAPEBDXZ] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!wcsstr] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_set_errno] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??0exception@@QEAA@AEBV0@@Z] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_get_errno] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_free_locale] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_get_current_locale] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!__crtLCMapStringW] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_wcsdup] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_errno] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!___mb_cur_max_func] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!setlocale] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!calloc] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_vsnwprintf] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!memcpy_s] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??3@YAXPEAX@Z] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??1exception@@UEAA@XZ] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??0exception@@QEAA@XZ] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!wcscpy_s] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!_wcsicmp] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!wcstoul] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!iswalnum] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[msvcrt.dll!??_V@YAXPEAX@Z] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[ntdll.dll!ZwQueryWnfStateData] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[ntdll.dll!RtlNtStatusToDosError] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[ntdll.dll!RtlGetSuiteMask] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[ntdll.dll!NtQueryInformationToken] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[wevtapi.dll!EvtSetChannelConfigProperty] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[wevtapi.dll!EvtSaveChannelConfig] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[wevtapi.dll!EvtClose] [0] IAT C:\WINDOWS\system32\svchost.exe[1052] @ C:\WINDOWS\system32\SettingSync.dll[wevtapi.dll!EvtOpenChannelConfig] [0] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [796:840] ffffa1a236736c20 Thread C:\WINDOWS\system32\svchost.exe [1052:3996] 0000026d9e430c8c Thread C:\WINDOWS\system32\svchost.exe [1052:4008] 0000026d9e430c8c Thread C:\WINDOWS\system32\svchost.exe [1052:4016] 0000026d9e430c8c Thread C:\WINDOWS\system32\svchost.exe [1052:2756] 0000026d9e427378 Thread C:\WINDOWS\system32\svchost.exe [1052:2940] 0000026d9e427378 Thread C:\WINDOWS\system32\svchost.exe [1052:3000] 0000026d9e4a0c8c Thread C:\WINDOWS\system32\svchost.exe [1052:3148] 0000026d9e4a0c8c Thread C:\WINDOWS\system32\svchost.exe [1052:3384] 0000026d9e4a0c8c Thread C:\WINDOWS\system32\svchost.exe [1052:4168] 0000026d9e497378 Thread C:\WINDOWS\system32\svchost.exe [1052:4172] 0000026d9e497378 Thread C:\WINDOWS\SysWOW64\svchost.exe [7452:9076] 00000000007a2acf Thread C:\WINDOWS\SysWOW64\svchost.exe [7452:9124] 00000000007a2acf Thread C:\WINDOWS\SysWOW64\svchost.exe [7452:9132] 00000000007a2acf Thread C:\WINDOWS\SysWOW64\svchost.exe [7452:540] 00000000007a2acf Thread C:\WINDOWS\SysWOW64\svchost.exe [7452:9116] 00000000007a2acf Thread C:\WINDOWS\SysWOW64\rundll32.exe [5540:9208] 0000000004602acf Thread C:\WINDOWS\SysWOW64\rundll32.exe [5540:7688] 0000000004602acf Thread C:\WINDOWS\SysWOW64\rundll32.exe [5540:7684] 0000000004602acf Thread C:\WINDOWS\SysWOW64\rundll32.exe [5540:5272] 0000000004602acf Thread C:\WINDOWS\SysWOW64\rundll32.exe [5540:5552] 0000000004602acf Thread C:\WINDOWS\system32\backgroundTaskHost.exe [9416:5000] 00007ff8b19625a0 Thread C:\WINDOWS\system32\backgroundTaskHost.exe [9416:9540] 00007ff8b19625a0 Thread C:\WINDOWS\system32\backgroundTaskHost.exe [9416:1676] 00007ff8a9e5e010 ---- Processes - GMER 2.2 ---- Library C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\WINDOWS\system32\SearchProtocolHost.exe [9740] 00007ff8764e0000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -2111408269 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b0c09061ca2c Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b0c09061ca2c@0ca694d632a7 0x29 0x06 0xFB 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b0c09061ca2c@fc35e60e8e56 0xF8 0xEB 0x1D 0x83 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b0c09061ca2c@d8c4e9fd22b2 0x2A 0x48 0x5A 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b0c09061ca2c@001167111140 0xE3 0x35 0x99 0xB4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b0c09061ca2c@fca89aa0d1b7 0x82 0x70 0x71 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2a0a8503-7f71-4abd-b719-f645d1735b2c}@LeaseObtainedTime 1494015456 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2a0a8503-7f71-4abd-b719-f645d1735b2c}@T1 1494017256 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2a0a8503-7f71-4abd-b719-f645d1735b2c}@T2 1494018606 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2a0a8503-7f71-4abd-b719-f645d1735b2c}@LeaseTerminatesTime 1494019056 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xCE 0x61 0xD1 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xCE 0xC9 0x95 0x3A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xCE 0xF9 0x0C 0x77 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@FE9E855F617E73E6 0x00 0x4C 0xD2 0xD3 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Users\Marcin\AppData\Local\Firefox\Firefox\Profiles\fstoounl.default-1491029449038\cache2\entries\B24F3DBF4C2531A245B8D57B1E8DA19DE1C373D7 1313 bytes File C:\Windows\Temp\WAX9B61.tmp (size mismatch) 389120/0 bytes executable ---- EOF - GMER 2.2 ----