GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-05 19:00:35 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 WDC_WD10EZEX-00BN5A0 rev.01.01A01 931,51GB Running: 7hnfhefn.exe; Driver: C:\Users\Daroo\AppData\Local\Temp\pxldapog.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\dwm.exe[5180] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe07f2169a 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\System32\dwm.exe[5180] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe07f216a2 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\System32\dwm.exe[5180] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe07f2181a 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\System32\dwm.exe[5180] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe07f21832 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[6088] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe07f2169a 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[6088] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe07f216a2 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[6088] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe07f2181a 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[6088] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe07f21832 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\Explorer.EXE[2164] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe07f2169a 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\Explorer.EXE[2164] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe07f216a2 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\Explorer.EXE[2164] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe07f2181a 4 bytes [F2, 07, FE, 7F] .text C:\WINDOWS\Explorer.EXE[2164] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe07f21832 4 bytes [F2, 07, FE, 7F] .text C:\Program Files\File Association Helper\FAHWindow.exe[6516] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe07f2169a 4 bytes [F2, 07, FE, 7F] .text C:\Program Files\File Association Helper\FAHWindow.exe[6516] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe07f216a2 4 bytes [F2, 07, FE, 7F] .text C:\Program Files\File Association Helper\FAHWindow.exe[6516] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe07f2181a 4 bytes [F2, 07, FE, 7F] .text C:\Program Files\File Association Helper\FAHWindow.exe[6516] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe07f21832 4 bytes [F2, 07, FE, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [2224:5968] fffff96000862b90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -753067735 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7598BB5-4B95-4E63-8716-06AC1CF11053}@LeaseObtainedTime 1425571536 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7598BB5-4B95-4E63-8716-06AC1CF11053}@T1 1425575136 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7598BB5-4B95-4E63-8716-06AC1CF11053}@T2 1425577836 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7598BB5-4B95-4E63-8716-06AC1CF11053}@LeaseTerminatesTime 1425578736 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Snail Games USA\BlackGold\BlackGold.lnk?D:\Program Files (x86)\Snail Games USA\BlackGold\fxlaunch.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@1 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Snail Games USA\BlackGold\Uninstall BlackGold.lnk?C:\Program Files (x86)\InstallShield Installation Information\{F7731C17-DA4F-440C-9802-00ED509B9F77}\setup.exe?-runfromtemp -l0x0409? ---- EOF - GMER 2.1 ----