GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-12 20:52:59 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003a TOSHIBA_MQ01ABD100 rev.AX0P3D 931.51GB Running: gmer.exe; Driver: C:\Users\Joanna\AppData\Local\Temp\kfkdyfow.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [5660:7228] ffff8a58adf216a0 Thread C:\WINDOWS\system32\csrss.exe [2492:6656] ffff8a58adf216a0 Thread C:\WINDOWS\system32\csrss.exe [4384:7780] ffff8a58aee46c20 ---- Processes - GMER 2.2 ---- Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\08ebdebb9c6eb538ca4d0b42155dfb7d\System.ServiceModel.Channels.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2984] 00000000683d0000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\3e5136588f123be6d20335e2596424c4\System.ServiceModel.Web.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2984] 0000000068240000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\5802392cd3e3a6f3921aabc3241bb561\System.IdentityModel.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2984] 0000000067f60000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\c2abcda8f96d67fa6ff5665fd21dddff\System.Drawing.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2984] 0000000067490000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c02fbf560e52a1aab432a90d4c613af4\System.Windows.Forms.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2984] 0000000066820000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\System.Servf73e6522#\3d691468bebc7298ec9471c7cb5a944a\System.ServiceModel.Web.ni.dll (*** suspicious ***) @ C:\Program Files\Dell\Dell Product Registration\PRSvc.exe [5176] 00007ff984100000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\c2abcda8f96d67fa6ff5665fd21dddff\System.Drawing.ni.dll (*** suspicious ***) @ C:\Program Files (x86)\Intel\Intel(R) Security Assist\isa.exe [8648] 0000000067490000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c02fbf560e52a1aab432a90d4c613af4\System.Windows.Forms.ni.dll (*** suspicious ***) @ C:\Program Files (x86)\Intel\Intel(R) Security Assist\isa.exe [8648] 0000000066820000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\c2abcda8f96d67fa6ff5665fd21dddff\System.Drawing.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [7560] 0000000067490000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c02fbf560e52a1aab432a90d4c613af4\System.Windows.Forms.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [7560] 0000000066820000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\08ebdebb9c6eb538ca4d0b42155dfb7d\System.ServiceModel.Channels.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [7560] 00000000683d0000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\3e5136588f123be6d20335e2596424c4\System.ServiceModel.Web.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [7560] 0000000068240000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\5802392cd3e3a6f3921aabc3241bb561\System.IdentityModel.ni.dll (*** suspicious ***) @ C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [7560] 0000000067f60000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\c2abcda8f96d67fa6ff5665fd21dddff\System.Drawing.ni.dll (*** suspicious ***) @ C:\Program Files (x86)\Dell Update\DellUpTray.exe [7176] 0000000067490000 Library C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\c02fbf560e52a1aab432a90d4c613af4\System.Windows.Forms.ni.dll (*** suspicious ***) @ C:\Program Files (x86)\Dell Update\DellUpTray.exe [7176] 0000000066820000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1448564484 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a0d37a7ae48b Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a0d37a7ae48b@c4420291a395 0x79 0xDA 0x35 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config@LastKnownGoodTime 0xAE 0x62 0xC3 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x81 0x05 0x88 0x1E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x81 0x6D 0x4C 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x81 0x9D 0xC3 0xBC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7d32df2??????????? Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x30 0x46 0x6A 0x42 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----