GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-18 19:06:26 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003a GOODRAM rev.SAFM22.3 223,57GB Running: 8s3ckjf2.exe; Driver: C:\Users\KRZYSZ~1\AppData\Local\Temp\kwliraob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2132] entry point in ".rdata" section 00000000717da020 ? C:\WINDOWS\system32\ncryptsslp.dll [2132] entry point in ".rdata" section 00000000717b04f0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7028] entry point in ".rdata" section 00000000717da020 ? C:\WINDOWS\system32\ncryptsslp.dll [7028] entry point in ".rdata" section 00000000717b04f0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [8180] entry point in ".rdata" section 00000000717da020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8180] entry point in ".rdata" section 000000006cb21590 ? C:\WINDOWS\system32\apphelp.dll [8180] entry point in ".rdata" section 00000000712df7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [1980] entry point in ".rdata" section 000000006cb21590 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [1980] entry point in ".rdata" section 00000000717da020 ? C:\WINDOWS\system32\apphelp.dll [3608] entry point in ".rdata" section 00000000712df7c0 ? C:\WINDOWS\system32\apphelp.dll [10076] entry point in ".rdata" section 00000000712df7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\Explorer.EXE[1352] @ C:\WINDOWS\Explorer.EXE[USER32.dll!SetWindowCompositionAttribute] [4d00080] IAT C:\WINDOWS\Explorer.EXE[1352] @ C:\WINDOWS\Explorer.EXE[GDI32.dll!StretchDIBits] [4d00020] IAT C:\WINDOWS\Explorer.EXE[1352] @ C:\WINDOWS\Explorer.EXE[UxTheme.dll!DrawThemeTextEx] [4d00040] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [3868:8644] ffffe29c3ec96c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1789804276 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA4 0x0F 0x2B 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA4 0x77 0xEF 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA4 0xA7 0x66 0x34 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\iexplore@Count 487 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{553891B7-A0D5-4526-BE18-D3CE461D6310}\iexplore@Count 487 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C46BE535-0DB9-4148-952A-3942F4190E1F} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C46BE535-0DB9-4148-952A-3942F4190E1F}@LastAccessedTime 0xE0 0x25 0x58 0x6C ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C46BE535-0DB9-4148-952A-3942F4190E1F}@AppId C:\Users\Krzysztof\Desktop\Gry\Train Driver 2\84\Nowy SCS\SCS.exe Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C46BE535-0DB9-4148-952A-3942F4190E1F}@LaunchCount 5 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EBC64744-E827-4E50-B55F-27CD98CFBDD6}@LastAccessedTime 0xB0 0xDB 0x6E 0x6A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EBC64744-E827-4E50-B55F-27CD98CFBDD6}@LaunchCount 30 ---- EOF - GMER 2.2 ----