GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-10 21:58:44 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f ADATA_SP550 rev.O0730A 223,57GB Running: 5gu72cfr.exe; Driver: C:\Users\admin\AppData\Local\Temp\pfadiuow.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [2492] entry point in ".rdata" section 0000000072931590 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2492] entry point in ".rdata" section 000000006c15a020 ? C:\WINDOWS\system32\ncryptsslp.dll [2492] entry point in ".rdata" section 000000006c1304f0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2524] entry point in ".rdata" section 0000000072931590 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2716] entry point in ".rdata" section 000000006f078fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2716] entry point in ".rdata" section 0000000072931590 ? C:\WINDOWS\SYSTEM32\wship6.dll [2976] entry point in ".rdata" section 000000006f602470 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2976] entry point in ".rdata" section 000000006f078fc0 ? C:\WINDOWS\SYSTEM32\wship6.dll [5096] entry point in ".rdata" section 000000006f602470 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5096] entry point in ".rdata" section 0000000072931590 ? C:\Windows\System32\ActXPrxy.dll [5096] entry point in ".rdata" section 000000006cf59c50 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5096] entry point in ".rdata" section 000000006c15a020 ? C:\WINDOWS\system32\ncryptsslp.dll [5096] entry point in ".rdata" section 000000006c1304f0 ? C:\Windows\System32\mfwmaaec.dll [5096] entry point in ".rdata" section 0000000054a42e20 ? C:\WINDOWS\system32\apphelp.dll [10088] entry point in ".rdata" section 000000006be7f7c0 ? C:\WINDOWS\System32\iertutil.dll [10088] entry point in ".rdata" section 0000000072931590 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [7344] entry point in ".rdata" section 000000006a8fc940 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [11176] entry point in ".rdata" section 000000006f078fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [11216] entry point in ".rdata" section 0000000072931590 ? C:\WINDOWS\SYSTEM32\iertutil.dll [11236] entry point in ".rdata" section 0000000072931590 ? C:\WINDOWS\SYSTEM32\iertutil.dll [10412] entry point in ".rdata" section 0000000072931590 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6336] entry point in ".rdata" section 0000000072931590 ? C:\WINDOWS\system32\wiadss.dll [7672] entry point in ".rdata" section 000000006144c4c0 ? C:\WINDOWS\system32\apphelp.dll [8052] entry point in ".rdata" section 000000006be7f7c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2892] entry point in ".rdata" section 000000006f078fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2892] entry point in ".rdata" section 0000000072931590 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [9376] entry point in ".rdata" section 000000006a8fc940 ? C:\Windows\System32\ActXPrxy.dll [9376] entry point in ".rdata" section 000000006cf59c50 ? C:\WINDOWS\SYSTEM32\wship6.dll [10592] entry point in ".rdata" section 000000006f602470 ? C:\Windows\System32\ActXPrxy.dll [10592] entry point in ".rdata" section 000000006cf59c50 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [10592] entry point in ".rdata" section 00000000615cda90 ? C:\WINDOWS\system32\apphelp.dll [9540] entry point in ".rdata" section 000000006be7f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [752:808] fffff1c285076c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x77 0xAC 0x53 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x79 0xD1 0x3B 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x77 0xAC 0x53 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x79 0xD1 0x3B 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 93 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\IVM611D11357V5501439_14_07DF_93^AF8239829460D17DDF857958C2C561CD@Timestamp 0x38 0x59 0x1F 0x91 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 904 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\WINDOWS\system32\SETF616.tmp??\??\C:\WINDOWS\TEMP\INS_f5669a6c.TMP??\??\C:\WINDOWS\TEMP\NvidiaLogging??\??\C:\WINDOWS\TEMP\~nsuA.tmp\Au_.exe??\??\C:\WINDOWS\TEMP\~nsuA.tmp??\??\C:\WINDOWS\TEMP\INS_bb0f5df6.TMP??\??\C:\WINDOWS\TEMP\INS_96b5d9f6.TMP??\??\C:\WINDOWS\system32\drivers\SET5968.tmp??\??\C:\WINDOWS\system32\SET5999.tmp??\??\C:\WINDOWS\TEMP\INS_fb262138.TMP??\??\C:\WINDOWS\TEMP\NvidiaLogging?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710882 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 396376334 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 93 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 496258050 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 9760 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 9406 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@DeleteTempDirsOnExit 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID c916aaa3-af6a-4952-9b24-50b6d0e Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 101 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14734504149062280@SetupOperations ???N?????N?N?????????????-???????????????J??????????????? ???????M???????????N???????? ??????????????????????????N???Z??Commited?????N?N?N?N?N?N?N???????????????????>???????????????????????????N???????????????????d???????N???????????s??????/????s???????????????????)??????????? ???????M?????N?????N??????????P?,??????C???????N???8?????e37??aswSnx???????N?N?N?N?N?N?N?N??????L??N???(?????n????avast! virtualization driver (aswSnx)????????????2???????????????m??td???????????v???????#????P??N????????h?????\SystemRoot\system32\drivers\aswSnx.sys?ys????????0??N??????????FSFilter Virtualization?D_???????N???2???????e??FltMgr??????? ???????N?????N?????N?,???????? ?????????s??????? ??N???????????e??aswSnx Instance??????N?????N???N????? ???????N???????????N?,?????????????????????e???????N???c??????137600???????N?N???????????????????????N????? ???????N???????????N?,????????T??? ???????????? T??N??????????????\??\C:\Program Files\AVAST Software\Avast????N?N????? P??N??????????????\??\C:\ProgramData\AVAST Software\Avast?f8? Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS5052fa67-f646-4501-8293-4de964c52c27 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BthHFEnum\Parameters\Wdf@TimeOfLastTelemetryLog 0x8A 0xE3 0xAB 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\bthhfhid\Parameters\Wdf@TimeOfLastTelemetryLog 0x8A 0xE3 0xAB 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc05c385 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc05c385@002237034f7b 0x46 0xAF 0x11 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0xF6 0x0E 0x3F 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xEB 0x23 0x14 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{17937ccc-af95-4b3c-ae50-79bcd2d78f3b}@LastProbeTime 1486479056 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xD4 0x36 0x27 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastTelemetryLog 0x14 0xAC 0x3C 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{CA1F5E21-1986-4FB7-9A4D-D87F43BC31B1}@InterfaceName Reusable ISATAP Interface {CA1F5E21-1986-4FB7-9A4D-D87F43BC31B1} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{CA1F5E21-1986-4FB7-9A4D-D87F43BC31B1}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\34-8a-ae-f2-55-6d@AddressCreationTimestamp 0x00 0x86 0xAE 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\34-8a-ae-f2-55-6d@NatDetectionTimestamp 0x1F 0xFF 0xAD 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\34-8a-ae-f2-55-6d@ClientLocalPort 54088 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\34-8a-ae-f2-55-6d@TeredoAddress 2001:0:5ef5:79fb:c2f:2cb7:b045:9a5 Reg HKLM\SYSTEM\CurrentControlSet\Services\MEIx64\Parameters\Wdf@TimeOfLastTelemetryLog 0x8C 0xFB 0x2B 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog 0xA7 0xF0 0x5E 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xF6 0x0E 0x3F 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8739 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2516 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-200|Desc=@%systemroot%\system32\provsvc.dll,-201|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|RPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-203|Desc=@%systemroot%\system32\provsvc.dll,-204|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In v2.26|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|LPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-205|Desc=@%systemroot%\system32\provsvc.dll,-206|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out v2.26|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 92 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{659e648f-4856-43ed-9309-5e15ffaaaaa0}@LeaseObtainedTime 1486752605 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{659e648f-4856-43ed-9309-5e15ffaaaaa0}@T1 1486795805 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{659e648f-4856-43ed-9309-5e15ffaaaaa0}@T2 1486828205 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{659e648f-4856-43ed-9309-5e15ffaaaaa0}@LeaseTerminatesTime 1486839005 Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0xEB 0x23 0x14 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog 0x2B 0xD8 0x55 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog 0xE8 0x5D 0x2E 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog 0x18 0xA1 0x6F 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastTelemetryLog 0x61 0xEC 0x97 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xD7 0x61 0x55 0x9B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xD7 0xC9 0x19 0xFD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xD7 0xF9 0x90 0x39 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 26936 26942 26952 26962 26982 27026 27036 27074 27080 27096 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 27102 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 27103 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 26936 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 26937 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xC5 0x50 0x80 0xDB ... ---- EOF - GMER 2.2 ----