GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-28 19:06:27 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\0000003a GOODRAM rev.SAFM22.3 223,57GB Running: u8jwzgqu.exe; Driver: C:\Users\GK\AppData\Local\Temp\awrdrkob.sys ---- User code sections - GMER 2.2 ---- .text D:\Program Files\Bitdefender\Bitdefender 2017\vsserv.exe[1440] C:\Windows\System32\KERNEL32.DLL!UnhandledExceptionFilter + 1 00007ffa27dda7d1 11 bytes [B8, 40, 08, 47, 7E, F2, 01, ...] .text C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe[1696] C:\Windows\System32\KERNEL32.DLL!UnhandledExceptionFilter + 1 00007ffa27dda7d1 11 bytes [B8, 40, 08, 65, 54, CE, 02, ...] ? C:\Windows\SYSTEM32\NTASN1.dll [3140] entry point in ".rdata" section 000000007207a020 ? C:\Windows\system32\ncryptsslp.dll [3140] entry point in ".rdata" section 00000000720504f0 .text D:\Program Files\Bitdefender\Bitdefender 2017\updatesrv.exe[3484] C:\Windows\System32\KERNEL32.DLL!UnhandledExceptionFilter + 1 00007ffa27dda7d1 11 bytes [B8, 40, 08, C1, 5A, F7, 01, ...] ? C:\Windows\SYSTEM32\NTASN1.dll [4756] entry point in ".rdata" section 000000007207a020 ? C:\Windows\system32\ncryptsslp.dll [4756] entry point in ".rdata" section 00000000720504f0 ? C:\Windows\system32\apphelp.dll [5988] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\system32\apphelp.dll [6000] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\system32\apphelp.dll [8656] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [8656] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [8656] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\atlthunk.dll [8656] entry point in ".data" section 000000006a324290 ? C:\Windows\system32\wbem\wbemsvc.dll [8656] entry point in ".rdata" section 0000000064cf8fc0 ? C:\Windows\System32\ActXPrxy.dll [8656] entry point in ".rdata" section 0000000062e49c50 .text C:\Program Files (x86)\Opera\44.0.2510.857\opera.exe[8656] C:\Users\GK\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\MSVCR120.dll!_errno + 711 0000000061af1a44 5 bytes JMP fffffffffee90e70 .text C:\Program Files (x86)\Opera\44.0.2510.857\opera.exe[8656] C:\Users\GK\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\MSVCR120.dll!fopen 0000000061b61dc4 5 bytes JMP fffffffffee90e92 ? C:\Windows\system32\mssprxy.dll [8656] entry point in ".rdata" section 000000006187a650 ? C:\Windows\SYSTEM32\PhotoMetadataHandler.dll [8656] entry point in ".rdata" section 00000000617b5d20 ? C:\Windows\System32\smartscreenps.dll [8656] entry point in ".rdata" section 00000000624558a0 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [8656] entry point in ".rdata" section 0000000061ffda90 ? C:\Windows\system32\apphelp.dll [8732] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\system32\apphelp.dll [8860] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [8860] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [8860] entry point in ".rdata" section 000000007207a020 ? C:\Windows\system32\apphelp.dll [8900] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [8900] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [8900] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [8900] entry point in ".rdata" section 000000006ad7c940 ? C:\Windows\system32\apphelp.dll [9080] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [9080] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [9080] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [9080] entry point in ".rdata" section 000000006ad7c940 ? C:\Windows\system32\apphelp.dll [6336] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [6336] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [6336] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [6336] entry point in ".rdata" section 000000006ad7c940 ? C:\Windows\system32\apphelp.dll [8960] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [8960] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [8960] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [8960] entry point in ".rdata" section 000000006ad7c940 ? C:\Windows\system32\apphelp.dll [9356] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [9356] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [9356] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [9356] entry point in ".rdata" section 000000006ad7c940 ? C:\Windows\system32\apphelp.dll [9376] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [9376] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [9376] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [9376] entry point in ".rdata" section 000000006ad7c940 .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1 00007ffa27fc47f1 11 bytes [B8, E8, 10, D8, 13, F7, 7F, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00007ffa280271e1 11 bytes [B8, 64, 0D, D8, 13, F7, 7F, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00007ffa280661c0 12 bytes [48, B8, 7C, 22, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00007ffa280662a0 12 bytes [48, B8, 98, 15, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00007ffa280663c0 12 bytes [48, B8, 36, 1D, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ffa28066440 12 bytes [48, B8, 14, 12, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffa28066580 12 bytes [48, B8, 5C, 06, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa280665c0 12 bytes [48, B8, 80, 00, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffa28066600 12 bytes [48, B8, 16, 01, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffa28066640 12 bytes [48, B8, 7E, 11, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffa280667a0 12 bytes [48, B8, 50, 21, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa28066800 12 bytes [48, B8, 30, 05, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffa28066840 12 bytes [48, B8, 88, 07, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffa280668c0 12 bytes [48, B8, 0A, 1C, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ffa280668e0 12 bytes [48, B8, 48, 1A, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ffa28066960 12 bytes [48, B8, F2, 06, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 00007ffa28066a60 12 bytes [48, B8, 04, 04, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffa28066a80 12 bytes [48, B8, D8, 02, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00007ffa28066ac0 12 bytes [48, B8, CC, 1D, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffa28066b60 12 bytes [48, B8, E6, 21, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00007ffa28066cb0 12 bytes [48, B8, A8, 23, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffa280675d0 12 bytes [48, B8, A0, 1C, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 00007ffa28067690 12 bytes [48, B8, 6E, 03, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffa28067770 12 bytes [48, B8, 42, 02, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffa28067fd0 12 bytes [48, B8, 2E, 16, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError 00007ffa28068b30 12 bytes [48, B8, 52, 10, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffa28068fb0 12 bytes [48, B8, C6, 05, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffa28069390 12 bytes [48, B8, C4, 16, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffa280695b0 12 bytes [48, B8, 4A, 09, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffa280695d0 12 bytes [48, B8, B4, 08, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffa280695f0 12 bytes [48, B8, 12, 23, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\System32\GDI32.dll!Gdi32DllInitialize + 1 00007ffa278d4311 11 bytes [B8, 6A, 25, D8, 13, F7, 7F, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\System32\GDI32.dll!ClearBrushAttributes 00007ffa278d8010 12 bytes [48, B8, 3A, 46, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\System32\GDI32.dll!NamedEscape 00007ffa278dbf10 12 bytes [48, B8, D0, 46, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] C:\Windows\System32\GDI32.dll!SetBrushAttributes 00007ffa278df390 12 bytes [48, B8, A4, 45, D8, 13, F7, ...] .text D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\fdhost.exe[9848] D:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\dbghelp.dll!MiniDumpWriteDump 0000000051f671a0 12 bytes [48, B8, 66, 47, D8, 13, F7, ...] ? C:\Windows\system32\apphelp.dll [7972] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [7972] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [7972] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [7972] entry point in ".rdata" section 000000006ad7c940 ? C:\Windows\system32\apphelp.dll [7204] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [7204] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [7204] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [7204] entry point in ".rdata" section 000000006ad7c940 ? C:\Windows\system32\apphelp.dll [7348] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [7348] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [7348] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [7348] entry point in ".rdata" section 000000006ad7c940 ? C:\Windows\system32\apphelp.dll [4528] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [4528] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [4528] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [4528] entry point in ".rdata" section 000000006ad7c940 .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\sechost.dll!OpenServiceA 00007ffa26ceeab0 12 bytes [48, B8, A8, 23, 19, F3, F7, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\sechost.dll!OpenServiceW 00007ffa26cf18f0 12 bytes [48, B8, 3E, 24, 19, F3, F7, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\sechost.dll!CloseServiceHandle + 1 00007ffa26cf1991 11 bytes [B8, 58, 28, 19, F3, F7, 7F, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\sechost.dll!ControlServiceExW + 1 00007ffa26cf2981 11 bytes [B8, 6A, 25, 19, F3, F7, 7F, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\sechost.dll!ChangeServiceConfigW + 1 00007ffa26cf2b51 11 bytes [B8, C2, 27, 19, F3, F7, 7F, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\sechost.dll!ControlService + 1 00007ffa26cf2cd1 11 bytes [B8, 00, 26, 19, F3, F7, 7F, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\sechost.dll!ControlService + 97 00007ffa26cf2d31 11 bytes [B8, 12, 23, 19, F3, F7, 7F, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\sechost.dll!ChangeServiceConfigA + 1 00007ffa26cf8241 11 bytes [B8, 2C, 27, 19, F3, F7, 7F, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\sechost.dll!ControlServiceExA + 1 00007ffa26d07ca1 11 bytes [B8, D4, 24, 19, F3, F7, 7F, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\sechost.dll!DeleteService + 1 00007ffa26d08531 11 bytes [B8, 96, 26, 19, F3, F7, 7F, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\GDI32.dll!Gdi32DllInitialize + 1 00007ffa278d4311 11 bytes [B8, 84, 29, 19, F3, F7, 7F, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\GDI32.dll!ClearBrushAttributes 00007ffa278d8010 12 bytes [48, B8, B0, 2A, 19, F3, F7, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\GDI32.dll!NamedEscape 00007ffa278dbf10 12 bytes [48, B8, 46, 2B, 19, F3, F7, ...] .text C:\Windows\system32\DllHost.exe[1612] C:\Windows\System32\GDI32.dll!SetBrushAttributes 00007ffa278df390 12 bytes [48, B8, 1A, 2A, 19, F3, F7, ...] ? C:\Windows\system32\apphelp.dll [3952] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [3952] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [3952] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [3952] entry point in ".rdata" section 000000006ad7c940 ? C:\Windows\system32\apphelp.dll [7308] entry point in ".rdata" section 000000007293f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [7308] entry point in ".rdata" section 000000006fad3570 ? C:\Windows\SYSTEM32\NTASN1.dll [7308] entry point in ".rdata" section 000000007207a020 ? C:\Windows\SYSTEM32\dbgcore.DLL [7308] entry point in ".rdata" section 000000006ad7c940 .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\GDI32.dll!Gdi32DllInitialize + 1 00007ffa278d4311 11 bytes [B8, A8, 23, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\GDI32.dll!ClearBrushAttributes 00007ffa278d8010 12 bytes [48, B8, D4, 24, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\GDI32.dll!NamedEscape 00007ffa278dbf10 12 bytes [48, B8, 6A, 25, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\GDI32.dll!SetBrushAttributes 00007ffa278df390 12 bytes [48, B8, 3E, 24, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\sechost.dll!OpenServiceA 00007ffa26ceeab0 12 bytes [48, B8, 56, 39, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\sechost.dll!OpenServiceW 00007ffa26cf18f0 12 bytes [48, B8, EC, 39, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\sechost.dll!CloseServiceHandle + 1 00007ffa26cf1991 11 bytes [B8, 06, 3E, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\sechost.dll!ControlServiceExW + 1 00007ffa26cf2981 11 bytes [B8, 18, 3B, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\sechost.dll!ChangeServiceConfigW + 1 00007ffa26cf2b51 11 bytes [B8, 70, 3D, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\sechost.dll!ControlService + 1 00007ffa26cf2cd1 11 bytes [B8, AE, 3B, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\sechost.dll!ControlService + 97 00007ffa26cf2d31 11 bytes [B8, C0, 38, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\sechost.dll!ChangeServiceConfigA + 1 00007ffa26cf8241 11 bytes [B8, DA, 3C, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\sechost.dll!ControlServiceExA + 1 00007ffa26d07ca1 11 bytes [B8, 82, 3A, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\sechost.dll!DeleteService + 1 00007ffa26d08531 11 bytes [B8, 44, 3C, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\SHELL32.dll!Shell_NotifyIconW + 1 00007ffa255cce91 11 bytes [B8, 3A, 46, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\system32\WINHTTP.dll!WinHttpOpenRequest 00007ffa12c9beb0 12 bytes [48, B8, 66, 47, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\system32\WINHTTP.dll!WinHttpCloseHandle + 1 00007ffa12cacf01 11 bytes [B8, FC, 47, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\system32\WINHTTP.dll!WinHttpConnect + 1 00007ffa12cbb761 11 bytes [B8, 92, 48, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!connect 00007ffa26c687a0 12 bytes [48, B8, BE, 49, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!socket + 1 00007ffa26c6a431 11 bytes [B8, 6E, 4E, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!WSASocketW + 1 00007ffa26c6a9a1 11 bytes [B8, AC, 4C, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!recv + 1 00007ffa26c6afc1 11 bytes [B8, 9A, 4F, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!closesocket + 1 00007ffa26c6b721 11 bytes [B8, 42, 4D, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!WSASend + 1 00007ffa26c6b921 11 bytes [B8, D8, 4D, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!WSARecv + 1 00007ffa26c6bdb1 11 bytes [B8, 30, 50, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!send + 1 00007ffa26c6c521 11 bytes [B8, 16, 4C, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!GetAddrInfoW 00007ffa26c6d320 12 bytes [48, B8, 54, 4A, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!GetAddrInfoExW 00007ffa26c70160 12 bytes [48, B8, EA, 4A, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!gethostbyname + 1 00007ffa26c73411 11 bytes [B8, 80, 4B, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!WEP + 257 00007ffa26c78f61 11 bytes [B8, 28, 49, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\System32\WS2_32.dll!WSAConnect + 1 00007ffa26c94c71 11 bytes [B8, 04, 4F, D0, BA, F6, 7F, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\system32\DNSAPI.dll!DnsQuery_W 00007ffa23ab7810 12 bytes [48, B8, F2, 51, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\system32\DNSAPI.dll!DnsQuery_UTF8 00007ffa23ab8080 12 bytes [48, B8, 88, 52, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\system32\DNSAPI.dll!DnsQueryEx 00007ffa23abf700 12 bytes [48, B8, 1E, 53, D0, BA, F6, ...] .text C:\Windows\system32\taskhostw.exe[7012] C:\Windows\system32\DNSAPI.dll!DnsQuery_A 00007ffa23aeff60 12 bytes [48, B8, 5C, 51, D0, BA, F6, ...] ? C:\Windows\system32\apphelp.dll [6444] entry point in ".rdata" section 000000007293f7c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [740:792] ffffe1ab165a6c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xF3 0x4C 0x4C 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x2F 0xED 0x6E 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xF3 0x4C 0x4C 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x2F 0xED 0x6E 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 35 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO38ED0_2B_07DE_E9^2228013BD2EB61EE1E739D6BE017F8BB@Timestamp 0xDC 0xD6 0xE8 0xD5 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\GK\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\GK\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\GK\AppData\Local\Temp\nsmE931.tmp\??\??\C:\Users\GK\AppData\Local\Temp\nsmE931.tmp\Lang\ENU.dll??\??\C:\Users\GK\AppData\Local\Temp\nsmE931.tmp\Lang\PLK.dll??\??\C:\Users\GK\AppData\Local\Temp\nsmE931.tmp\SetupHelper.exe??\??\C:\Users\GK\AppData\Local\Temp\nsmE931.tmp\??\??\C:\Users\GK\AppData\Local\Temp\_iu14D2N.tmp?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 233169989 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 4196146f-f62f-4209-ba37-f8cce9f Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\1002b5c9ceb6 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{ca9824fd-6d61-4795-a7a2-a5b5609f7600}@LastProbeTime 1495977826 Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8121 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2226 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 34 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ae627f8a-a023-4e52-93ed-f4f906f26463}@LeaseObtainedTime 1495984520 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ae627f8a-a023-4e52-93ed-f4f906f26463}@T1 1495986320 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ae627f8a-a023-4e52-93ed-f4f906f26463}@T2 1495987670 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ae627f8a-a023-4e52-93ed-f4f906f26463}@LeaseTerminatesTime 1495988120 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xE8 0xDF 0xD0 0x77 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xE8 0x47 0x95 0xD9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xE8 0x77 0x0C 0x16 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 22440 22446 22458 22494 22504 22514 22534 22578 22588 22626 22632 22648 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 22654 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 22655 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 22440 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 22441 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View@BMPWidth 1016 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\View@BMPHeight 388 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced@HideFileExt 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced@ShowSuperHidden 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds {6D809377-6AF0-444B-8957-A3773F02200E}\CCleaner\CCleaner64.exe? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@{6D809377-6AF0-444B-8957-A3773F02200E}\CCleaner\CCleaner64.exe 0x32 0x2D 0xB9 0x8C ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{61985343-DACD-4DE7-91BD-8F2D2A029A43}@LastAccessedTime 0xA0 0xBF 0x49 0xEF ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{61985343-DACD-4DE7-91BD-8F2D2A029A43}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate@LastScheduledRetryTime 2017-05-28 11:06:15 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_ab6c197055acbce51b2a5ebbcbb2b297bd8e3255_00000000_2c1e6d57 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0x1E 0x14 0x0D 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CloseDialog 0xDA 0x01 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk1\DR1 unknown MBR code