GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-07 10:48:18 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003b GOODRAM_CX100 rev.SAFM01.6 223,57GB Running: xvghzvhc.exe; Driver: C:\Users\kkomo\AppData\Local\Temp\kfadyfog.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [2416] entry point in ".rdata" section 00000000729e0380 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2668] entry point in ".rdata" section 000000006a76bb10 ? C:\Windows\SYSTEM32\iertutil.dll [4692] entry point in ".rdata" section 000000006e71cb70 ? C:\WINDOWS\system32\apphelp.dll [4692] entry point in ".rdata" section 00000000729e0380 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5952] entry point in ".rdata" section 00000000718b8fa0 ? C:\WINDOWS\system32\d3d10_1.dll [5952] entry point in ".rdata" section 0000000070f724b0 ? C:\Windows\SYSTEM32\iertutil.dll [5952] entry point in ".rdata" section 000000006e71cb70 ? C:\WINDOWS\System32\SensorsNativeApi.V2.dll [5952] entry point in ".rdata" section 000000006b0df400 ? C:\Windows\SYSTEM32\ActXPrxy.dll [5952] entry point in ".rdata" section 000000006a5ebd10 ? C:\WINDOWS\system32\d3d10_1.dll [6704] entry point in ".rdata" section 0000000070f724b0 ? C:\WINDOWS\system32\apphelp.dll [3320] entry point in ".rdata" section 00000000729e0380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [732:864] fffff961b6574060 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xCB 0xE0 0x55 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xEB 0x7C 0xA2 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xCB 0xE0 0x55 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xEB 0x7C 0xA2 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 184 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\ACI27A1FALMQS123942_2C_07DF_46^A0DA43AB87600D9C5FB5834CD70DCC30@Timestamp 0xD4 0xC6 0x2A 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710665 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -521167129 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 184 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 475566638 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 6201265 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 6197859 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 00f0b4b6-e0d5-4312-b2a6-f836e30 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS_s Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a3fbb3be-7cc0-4d92-ab08-45e3820d6e5f}@LastProbeTime 1465294667 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 10058 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 5290 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 183 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4ff80151-bdff-4b39-a718-ece62488a515}@LeaseObtainedTime 1465288455 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4ff80151-bdff-4b39-a718-ece62488a515}@T1 1465331655 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4ff80151-bdff-4b39-a718-ece62488a515}@T2 1465364055 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4ff80151-bdff-4b39-a718-ece62488a515}@LeaseTerminatesTime 1465374855 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{4ff80151-bdff-4b39-a718-ece62488a515}@Dhcpv6InformationObtainedTime 1465287443 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xDC 0x4E 0xF2 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xDC 0xB6 0xB6 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xDC 0xE6 0x2D 0xE4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x98 0x07 0x0F 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}\iexplore@Count 2 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 4 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@CloudSettingsDirtyMarks 653 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x26 0xBC 0x7E 0x7A ... ---- EOF - GMER 2.2 ----