GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-25 15:13:50 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 HGST_HTS541010A9E680 rev.JA0OA560 931,51GB Running: yskbj5d4.exe; Driver: C:\Users\Myotis\AppData\Local\Temp\kwldqpog.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [2960] entry point in ".rdata" section 0000000072a8caf0 ? C:\WINDOWS\system32\apphelp.dll [3268] entry point in ".rdata" section 0000000070e90380 ? C:\Windows\SYSTEM32\ActXPrxy.dll [3268] entry point in ".rdata" section 000000006e26bc40 ? C:\WINDOWS\SYSTEM32\Windows.Networking.HostName.dll [3268] entry point in ".rdata" section 000000006d0c3090 ? C:\WINDOWS\system32\apphelp.dll [4196] entry point in ".rdata" section 0000000070e90380 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [4196] entry point in ".rdata" section 000000006bb68fa0 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00007ffea7409c20 5 bytes JMP 00007ffe8af72e10 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffea74255c0 5 bytes JMP 00007ffe8af72640 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea7425800 5 bytes JMP 00007ffe8af72470 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea74258c0 5 bytes JMP 00007ffe8af72b10 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea74259c0 5 bytes JMP 00007ffe8af72ab0 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeThread 00007ffea7425b00 5 bytes JMP 00007ffe8af728d0 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea74265b0 5 bytes JMP 00007ffe8af72b60 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea74266f0 5 bytes JMP 00007ffe8af72c10 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateUserProcess 00007ffea7426810 5 bytes JMP 00007ffe8af72cc0 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea7427310 5 bytes JMP 00007ffe8af72bc0 .text D:\Program Files (x86)\AVG\Av\avgcsrva.exe[4944] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea74273d0 5 bytes JMP 00007ffe8af72c70 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6960] entry point in ".rdata" section 000000006bb68fa0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6960] entry point in ".rdata" section 000000007367bb10 ? C:\WINDOWS\system32\d3d10_1.dll [6960] entry point in ".rdata" section 00000000713424b0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6960] entry point in ".rdata" section 0000000072a8caf0 ? C:\WINDOWS\system32\apphelp.dll [3836] entry point in ".rdata" section 0000000070e90380 ? C:\WINDOWS\system32\apphelp.dll [4544] entry point in ".rdata" section 0000000070e90380 ? C:\WINDOWS\system32\apphelp.dll [1156] entry point in ".rdata" section 0000000070e90380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [5552:2716] fffff96100f84060 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\FileSystem@NtfsDisableLastAccessUpdate 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?)???C???C???????B???????????????????pon.?, ?kwi ?25 ?16, 01:43:56 PM???????????????????????????????????? ???????B???????????B??????????D??????????e??????0??B??????e???CloseReadyBoostPerfData??????B?B?B?B?B?B?B?B?B?B?B????4??B???????t??CollectReadyBoostPerfData?????D??B???????y??%systemroot%\system32\sysmain.dll?????.??B??????????OpenReadyBoostPerfData?????????????????????e??????6??B?????????e????ReadyBoostPerfCounters.ini??????? ??????????????r???????????????????????? ????????????????????????????????p??????? ??B???n?????t?n??4588?j??? ???????3???????????B??????????"?????????????????????????s??????B?B?B?B?B?B???????????????????e??????????????????????????"??B??????p???Boot File System????????????????t???????????????????? ???????3?????C?? ??B?B??&???$????????????? ????????????????????????????B?B?B?B?B?B?B?B?B?B?C?C?C????N??B?????????e????@%Systemroot%\system32\mprdim.dll,-200????????????????????????????Z??B????????h?????%SystemRoot%\System32\svchost.exe -k netsvcs????????????????t??????? ?????????????N??B????? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -532307258 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\7077810a4e12 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{3D6F3E66-EE27-4E7B-A740-F350E63A8C50}@DefunctTimestamp 0xD9 0xFF 0x1D 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1685 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 534 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{CA0273CC-A0CA-4D1A-AA4F-9CE042CAF8CA} v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SrpnFiles\SrpnFiles.exe|Name=SrpnFiles| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{03070CBB-E449-4FA5-910E-2F87D7C17BC1} v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SrpnFiles\SrpnFiles.exe|Name=SrpnFiles| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{380D7A45-3C91-4DB9-99B9-BF8BF5811D1C} v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\SrpnFiles\downloader.exe|Name=SrpnFiles| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{11529F27-5117-446C-AC64-0823CC5042FF} v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\SrpnFiles\downloader.exe|Name=SrpnFiles| Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5ce624b7-5403-4d31-a03e-3acc51889456}@LeaseObtainedTime 1461583838 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5ce624b7-5403-4d31-a03e-3acc51889456}@T1 1461627038 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5ce624b7-5403-4d31-a03e-3acc51889456}@T2 1461659438 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5ce624b7-5403-4d31-a03e-3acc51889456}@LeaseTerminatesTime 1461670238 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x11 0x2F 0x96 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x11 0x97 0x5A 0x40 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x11 0xC7 0xD1 0x7C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xEF 0xB2 0xCD 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds E7CF176E110C211B? ---- EOF - GMER 2.2 ----