GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-06 19:16:14 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\0000002b CT250BX100SSD1 rev.MU02 232,89GB Running: fgd3gve5.exe; Driver: C:\Users\Rafal\AppData\Local\Temp\awdyakow.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [2480] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\system32\apphelp.dll [3864] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3864] entry point in ".rdata" section 0000000072691150 ? C:\WINDOWS\SYSTEM32\atlthunk.dll [3864] entry point in ".data" section 000000006e474290 ? C:\WINDOWS\system32\apphelp.dll [5624] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5624] entry point in ".rdata" section 0000000072691150 ? C:\WINDOWS\system32\apphelp.dll [5956] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5956] entry point in ".rdata" section 0000000072691150 ? C:\WINDOWS\system32\apphelp.dll [3924] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3924] entry point in ".rdata" section 0000000072691150 ? C:\WINDOWS\system32\apphelp.dll [5940] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5940] entry point in ".rdata" section 0000000072691150 ? C:\WINDOWS\system32\apphelp.dll [5932] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5932] entry point in ".rdata" section 0000000072691150 ? C:\WINDOWS\system32\apphelp.dll [5952] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5952] entry point in ".rdata" section 0000000072691150 ? C:\WINDOWS\system32\apphelp.dll [8244] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8244] entry point in ".rdata" section 0000000072691150 ? C:\Windows\System32\iertutil.dll [8320] entry point in ".rdata" section 0000000072691150 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8444] entry point in ".rdata" section 0000000072691150 ? C:\WINDOWS\system32\apphelp.dll [8444] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [8612] entry point in ".rdata" section 000000005f698fc0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [8612] entry point in ".rdata" section 000000006e1da020 ? C:\WINDOWS\system32\ncryptsslp.dll [8612] entry point in ".rdata" section 000000006e1b04f0 ? C:\WINDOWS\system32\apphelp.dll [4488] entry point in ".rdata" section 0000000071eaf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4488] entry point in ".rdata" section 0000000072691150 ? C:\WINDOWS\system32\apphelp.dll [6832] entry point in ".rdata" section 0000000071eaf7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [724:848] ffffe10de63a6c20 Thread C:\WINDOWS\system32\svchost.exe [556:2228] 00007ff8cca41a50 Thread C:\WINDOWS\system32\svchost.exe [556:3104] 00007ff8cd1039b0 Thread C:\WINDOWS\system32\svchost.exe [556:4068] 00007ff8c2831040 Thread C:\WINDOWS\system32\svchost.exe [556:4072] 00007ff8c39e48e0 Thread C:\WINDOWS\system32\svchost.exe [556:4080] 00007ff8c39e48e0 Thread C:\WINDOWS\system32\svchost.exe [556:8928] 00007ff8cb327ac0 Thread C:\WINDOWS\system32\svchost.exe [556:8932] 00007ff8cb327ac0 Thread C:\WINDOWS\system32\svchost.exe [556:3488] 00007ff8d42c30f0 Thread C:\WINDOWS\system32\svchost.exe [556:5080] 00007ff8cecd50a0 Thread C:\WINDOWS\system32\svchost.exe [1256:2224] 00007ff8d8246750 Thread C:\WINDOWS\system32\svchost.exe [1256:2284] 00007ff8d8246750 Thread C:\WINDOWS\system32\svchost.exe [1256:2296] 00007ff8d8246750 Thread C:\WINDOWS\system32\svchost.exe [1256:2308] 00007ff8cf5bc5a0 Thread C:\WINDOWS\system32\svchost.exe [1256:2468] 00007ff8cf5beab0 Thread C:\WINDOWS\system32\svchost.exe [1256:2496] 00007ff8cf5bd2d0 Thread C:\WINDOWS\system32\svchost.exe [1256:2500] 00007ff8cf5be100 Thread C:\WINDOWS\system32\svchost.exe [1256:2612] 00007ff8cf68af40 Thread C:\WINDOWS\system32\svchost.exe [1256:2616] 00007ff8cf68ca00 Thread C:\WINDOWS\system32\svchost.exe [1256:3400] 00007ff8c65c1240 Thread C:\WINDOWS\system32\svchost.exe [1256:3404] 00007ff8c662a3b0 Thread C:\WINDOWS\system32\svchost.exe [1256:3412] 00007ff8c4dd25e0 Thread C:\WINDOWS\system32\svchost.exe [1256:812] 00007ff8be593bc0 Thread C:\WINDOWS\system32\svchost.exe [1256:7556] 00007ff8be592080 Thread C:\WINDOWS\system32\svchost.exe [1996:2032] 00007ff8d1fde830 Thread C:\WINDOWS\system32\svchost.exe [1996:1212] 00007ff8d1e910a0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:1564] 0000000000c9eaa4 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:2116] 000000007341fcb0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:2124] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:2256] 0000000072868290 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:2272] 00000000727d66f0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3532] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3580] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3584] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3588] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3592] 000000006f3e96c0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3596] 0000000072d0d9d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3600] 0000000072d0d9d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3604] 0000000072d0d9d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3608] 0000000072d0d9d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3612] 0000000072d0d9d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3616] 0000000072d0d9d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3620] 0000000072d0d9d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3624] 0000000072d0d9d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3628] 0000000072d0d9d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3632] 0000000072d0d9d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3636] 0000000072d0eac0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3640] 0000000072d0eac0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3644] 0000000072d0df00 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3648] 0000000072d8dfb0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3652] 0000000072d8cb50 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3656] 0000000072d8cf80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3660] 0000000072d10d80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3664] 0000000072d10d80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3668] 0000000072d10d80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3672] 0000000072d10d80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3676] 0000000072d10d80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3680] 0000000072d10d80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3684] 0000000072d10d80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3688] 0000000072d10d80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3692] 0000000072d10d80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3696] 0000000072d10d80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3700] 0000000072d10a30 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3704] 000000006f361080 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3708] 000000006f321d30 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3712] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3716] 000000006f327040 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3720] 000000006f327040 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3724] 000000006f3e9550 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3728] 000000006f3e9550 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3740] 0000000072d39c10 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3744] 0000000072d10410 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3748] 000000006f150c54 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3756] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3760] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3768] 00000000770657b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3776] 000000007249b990 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3804] 0000000072e743c0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3888] 0000000072c38fc0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3896] 000000006f3616d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3912] 000000006e5a9390 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3920] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3928] 00000000730531d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3932] 0000000073056730 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3948] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3956] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4020] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3260] 000000006e4bb460 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3308] 000000006e4bb460 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3312] 000000006e4bb460 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3348] 000000006e4bb460 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3332] 000000006e4bb460 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3352] 000000006e4bb460 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:2632] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:2628] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:2596] 000000006f125870 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4120] 00000000770657b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4128] 0000000072c91980 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4140] 0000000072830440 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4144] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4152] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4168] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4172] 000000006d16daf0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4184] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4188] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:8316] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:3168] 0000000072408420 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:6740] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:4944] 0000000073bff28e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1460:7736] 0000000073bff28e Thread C:\WINDOWS\system32\svchost.exe [2436:2956] 00007ff8ce1e58c0 Thread C:\WINDOWS\system32\svchost.exe [2436:2964] 00007ff8ce1e58c0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2480:2484] 0000000000e14114 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2480:2728] 0000000000e118e0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2480:2740] 0000000000e118e0 Thread C:\WINDOWS\system32\mqsvc.exe [2520:3000] 00007ff8cca979e0 Thread C:\WINDOWS\system32\svchost.exe [2564:2864] 00007ff8ce0316b0 Thread C:\WINDOWS\system32\svchost.exe [2564:2868] 00007ff8ce0316b0 Thread C:\WINDOWS\system32\svchost.exe [2564:2872] 00007ff8ce0316b0 Thread C:\WINDOWS\system32\svchost.exe [2564:2876] 00007ff8ce0316b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2604:2608] 0000000000402d42 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3036:3280] 00007ff8cb8fd840 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3036:3304] 00007ff8cb810250 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3036:3464] 00007ff8c4231b50 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3036:3528] 00007ff8cb810250 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3132:3276] 00007ff8cb8fd840 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3132:3300] 00007ff8cb810250 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3132:3472] 00007ff8c4231b50 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [3496:3500] 00000000004012a0 Thread c:\windows\system32\inetsrv\w3wp.exe [116:1536] 00007ff8ce1e58c0 Thread c:\windows\system32\inetsrv\w3wp.exe [116:1640] 00007ff8ce0316b0 Thread c:\windows\system32\inetsrv\w3wp.exe [116:4100] 00007ff8ce0316b0 Thread c:\windows\system32\inetsrv\w3wp.exe [116:4104] 00007ff8ce0316b0 Thread c:\windows\system32\inetsrv\w3wp.exe [116:4108] 00007ff8ce0316b0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [5572:6120] 000000000042e9b8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -87568425 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xB9 0x66 0xB3 0xF8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xB9 0xCE 0x77 0x5A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xB9 0xFE 0xEE 0x96 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome?Microsoft.Windows.ControlPanel? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\credentials@IsLocalReplicaDirty 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\spellingdictionary@IsLocalReplicaDirty 0 ---- Files - GMER 2.2 ---- File C:\Users\Rafal\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb0078F.log 524288 bytes File C:\Users\Rafal\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb00790.log 524288 bytes File C:\Users\Rafal\AppData\Local\Microsoft\Windows\SettingSync\metastore\edb00791.log 524288 bytes File C:\Users\Rafal\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1\edb001CE.log 524288 bytes File C:\Users\Rafal\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1\edb001CF.log 524288 bytes File C:\Users\Rafal\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1\edb001D0.log 524288 bytes File C:\Users\Rafal\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\INetCookies\NIKZJI91.cookie 0 bytes ---- EOF - GMER 2.2 ----