GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-15 13:28:45 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e ADATA_SP550 rev.O0730A 223,57GB Running: s5gl55v4.exe; Driver: C:\Users\admin\AppData\Local\Temp\pfadiuow.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [1652] entry point in ".rdata" section 0000000072c9d7a0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2512] entry point in ".rdata" section 0000000072c9d7a0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2528] entry point in ".rdata" section 0000000072c9d7a0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2584] entry point in ".rdata" section 0000000072c9d7a0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2584] entry point in ".rdata" section 000000006e87bb10 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2732] entry point in ".rdata" section 000000006f4a8fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2732] entry point in ".rdata" section 0000000072c9d7a0 ? C:\WINDOWS\system32\apphelp.dll [2760] entry point in ".rdata" section 000000006fc20380 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2760] entry point in ".rdata" section 000000006f4a8fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2792] entry point in ".rdata" section 0000000072c9d7a0 ? C:\WINDOWS\SYSTEM32\wship6.dll [2896] entry point in ".rdata" section 000000006fb124b0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2896] entry point in ".rdata" section 000000006f4a8fa0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [5860] entry point in ".rdata" section 000000006f4a8fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5860] entry point in ".rdata" section 0000000072c9d7a0 ? C:\WINDOWS\SYSTEM32\wship6.dll [2560] entry point in ".rdata" section 000000006fb124b0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2560] entry point in ".rdata" section 0000000072c9d7a0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [2560] entry point in ".rdata" section 0000000068c9bd10 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2560] entry point in ".rdata" section 000000006e87bb10 ? C:\Windows\SYSTEM32\ActXPrxy.dll [6460] entry point in ".rdata" section 0000000068c9bd10 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7232] entry point in ".rdata" section 0000000072c9d7a0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7232] entry point in ".rdata" section 000000006e87bb10 ? C:\WINDOWS\SYSTEM32\srpapi.dll [7232] entry point in ".rdata" section 0000000063942a90 ? C:\WINDOWS\SYSTEM32\apphelp.dll [7232] entry point in ".rdata" section 000000006fc20380 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [8184] entry point in ".rdata" section 000000006f4a8fa0 ? C:\WINDOWS\system32\apphelp.dll [7636] entry point in ".rdata" section 000000006fc20380 ? C:\WINDOWS\SYSTEM32\wship6.dll [5180] entry point in ".rdata" section 000000006fb124b0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [5180] entry point in ".rdata" section 0000000068c9bd10 ? C:\WINDOWS\system32\apphelp.dll [8996] entry point in ".rdata" section 000000006fc20380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [764:816] fffff960cf384030 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE8 0x85 0x50 0xFC ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x38 0x9E 0xD3 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x57 0xB4 0x53 0xFC ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x97 0x00 0xD6 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 192 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\IVM611D11357V5501439_14_07DF_B2^D143AAC1A4C68B3AF2D7982EC15CFF54@Timestamp 0x53 0x07 0x0C 0xFD ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 920 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\ProgramData\ChelfNotify\OLD_FILE1??\??\C:\ProgramData\ChelfNotify\OLD_FILE2??\??\C:\ProgramData\ChelfNotify\OLD_FILE3??\??\C:\Program Files (x86)\SearchesToYesbnd\2384c\??\??\C:\Program Files (x86)\Google\Update\Download\{92573FCF-D866-47EE-AF79-853CCFA71CAC}\chrome_updater??\??\C:\Program Files (x86)\Google\Update\Download\{92573FCF-D866-47EE-AF79-853CCFA71CAC}\chrome_updater.tew??\??\C:\ProgramData\XwinpX\tmpx?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -866508753 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 8ad9e4ef-1999-4777-9df0-bc070fd Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{c3086c79-c901-4382-b250-b856d5cd26d4} Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14712546055462276@SetupOperations ???Z?????Z?[?[???????????????????????????*???????????????????????T?????????????Z???Z????? ???????Z???????????Z???????? ??????????????????????????Z???M??Reverted?M???Z?Z?Z?Z?Z?Z?Z?Z?????????????J?????t?I?????????????????t?????????Z???????????????????????????Z?????????????????Z?????[?[?\?\?\???????????0???????????????*???H??????????????4????T??????????? ???????Z?????\?????Z??????????P?*??????????????Z?????????e????aswSnx???????Z?Z?\?\?\?\?\?\??????L??\?????????n?????\???\???Z??????????????MoveFile("\??\C:\Program Files\AVAST Software\Avast\HTMCCD4.tmp","\??\C:\Program Files\AVAST Software\Avast\HTMLayout.dll",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\avBCCF6.tmp","\??\C:\Program Files\AVAST Software\Avast\avBugReport.exe",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\AvDCD08.tmp","\??\C:\Program Files\AVAST Software\Avast\AvDump32.exe",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\x64\AvDCD0A.tmp","\??\C:\Program Files\AVAST Software\Avast\x64\AvDump64.exe",TRUE)?DeleteF Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14712546171092276@SetupOperations ???Z?????[?[?\?\?\???????????0???????????????*???H??????????????4????T??????????? ???????Z?????\?????Z??????????P?*??????????????Z?????????e????aswSnx???????Z?Z?\?\?\?\?\?\??????L??\?????????n?????\???\???Z??????????????MoveFile("\??\C:\Program Files\AVAST Software\Avast\HTMCCD4.tmp","\??\C:\Program Files\AVAST Software\Avast\HTMLayout.dll",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\avBCCF6.tmp","\??\C:\Program Files\AVAST Software\Avast\avBugReport.exe",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\AvDCD08.tmp","\??\C:\Program Files\AVAST Software\Avast\AvDump32.exe",TRUE)?MoveFile("\??\C:\Program Files\AVAST Software\Avast\x64\AvDCD0A.tmp","\??\C:\Program Files\AVAST Software\Avast\x64\AvDump64.exe",TRUE)?DeleteFile("\??\C:\Program Files\AVAST Software\Avast\setup\CRT\data\avast.vc110.crt\amd64")?DeleteFile("\??\C:\Program Files\AVAST Software\Avast\setup\CRT\data\avast.vc110.crt\x86")?MoveFile("\??\C:\Program Files\AVAST Software\Avast\ashA329.tmp","\??\C:\Program Files\AVAST So Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc05c385 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc05c385@002237034f7b 0x46 0xAF 0x11 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@Bluetooth_UniqueID {00000000-0000-0000-0000-000000000000}#002237034F7B_00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0001 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0001@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0001@Bluetooth_UniqueID {0000110c-0000-1000-8000-00805f9b34fb}#002237034F7B_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0001@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0004 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0004@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0004@Bluetooth_UniqueID {00000000-0000-0000-0000-000000000000}#002237034F7B_00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0004@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0005 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0005@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0005@Bluetooth_UniqueID {0000110c-0000-1000-8000-00805f9b34fb}#002237034F7B_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0005@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{4b50dad4-adea-4944-b02f-6cb1fafd8986}@LastProbeTime 1471264209 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{CA1F5E21-1986-4FB7-9A4D-D87F43BC31B1}@DefunctTimestamp 0xB0 0x99 0xB1 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\34-8a-ae-f2-55-6d@AddressCreationTimestamp 0x2E 0x2B 0xC2 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56a73\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56a73\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56a73\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56a73\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56a73\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56a73\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56a73\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56a73\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_56a73\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_56a73\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_56a73\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_56a73\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_56a73\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8046 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2986 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 191 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{659e648f-4856-43ed-9309-5e15ffaaaaa0}@LeaseObtainedTime 1471257009 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{659e648f-4856-43ed-9309-5e15ffaaaaa0}@T1 1471300209 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{659e648f-4856-43ed-9309-5e15ffaaaaa0}@T2 1471332609 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{659e648f-4856-43ed-9309-5e15ffaaaaa0}@LeaseTerminatesTime 1471343409 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_56a73\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_56a73\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_56a73\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_56a73\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xF5 0x7A 0x1E 0x42 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xF5 0xE2 0xE2 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xF5 0x12 0x5A 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x9C 0x16 0x1C 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0xE6 0x7C 0x10 0x87 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xAE 0x64 0x03 0x8B ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xAE 0x64 0x03 0x8B ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xAE 0x64 0x03 0x8B ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xAE 0x64 0x03 0x8B ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x8F 0xF8 0xB2 0x3D ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications@TimestampWhenSeen 0x8B 0xFB 0xA5 0x03 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Current\Windows.SystemToast.SecurityAndMaintenance\72891 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Current\Windows.SystemToast.SecurityAndMaintenance\72891@ImageFileUri file://C:\Users\admin\AppData\Local\Microsoft\Windows\ActionCenterCache\{EB5C4BC3-9CD1-4ABE-A866-19C424936ECC}.png Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ab15f104@NotificationsCount 4 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds E7CF176E110C211B? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x85 0x52 0xA2 0xE9 ... ---- Files - GMER 2.2 ---- File C:\Program Files\NVIDIA Corporation\Installer2\NvNodejs.{AA08E81F-DC29-43DB-B05B-AC260C15C4A6}\node_modules\socket.io\node_modules\socket.io-client\node_modules\engine.io-client\node_modules\engine.io-parser\node_modules\has-binary\node_modules\isarray\build\build.js 4298 bytes ---- EOF - GMER 2.2 ----