GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-08 10:41:58 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000039 HGST_HTS721075A9E630 rev.JB2OA3J0 698,64GB Running: 521u0vgf.exe; Driver: C:\Users\rafiksq\AppData\Local\Temp\kglyifow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001ba400 15 bytes [00, 58, F1, 01, C0, 46, 6B, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff960001ba410 11 bytes [00, C5, FB, FF, C0, 46, CA, ...] ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\IIS Express\iisexpresstray.exe [5412:5428] 000000006fe4cf5c Thread C:\Program Files (x86)\IIS Express\iisexpresstray.exe [5412:5432] 000000006feca8c0 Thread C:\Program Files (x86)\IIS Express\iisexpresstray.exe [5412:5436] 000000006feca8c0 Thread C:\Program Files (x86)\IIS Express\iisexpresstray.exe [5412:5516] 000000007214c200 Thread C:\Program Files (x86)\IIS Express\iisexpresstray.exe [5412:5572] 000000006fdd24a2 Thread C:\Program Files (x86)\IIS Express\iisexpresstray.exe [5412:2716] 000000006feca8c0 Thread C:\Program Files (x86)\IIS Express\iisexpresstray.exe [5412:3424] 000000006feca8c0 Thread C:\Windows\system32\csrss.exe [4872:1188] fffff960008eb2d0 ---- Processes - GMER 2.1 ---- Process C:\Users\rafiksq\AppData\Roaming\ViStart\ViStart.exe (*** suspicious ***) @ C:\Users\rafiksq\AppData\Roaming\ViStart\ViStart.exe [2832] (Lee-Soft.com)(2014-01-17 15:25:12) 0000000000400000 Process C:\Users\rafiksq\AppData\Roaming\ViStart\Plugins\MetroProvider.exe (*** suspicious ***) @ C:\Users\rafiksq\AppData\Roaming\ViStart\Plugins\MetroProvider.exe [8224] (Provides Metro Services to ViStart/Lee-Soft.com)(2013-01-17 13:58:02) 0000000000f40000 Process C:\Users\rafiksq\AppData\Roaming\ViStart\Plugins\SearchProvider.exe (*** suspicious ***) @ C:\Users\rafiksq\AppData\Roaming\ViStart\Plugins\SearchProvider.exe [8292] (Provides file search results for ViStart./Lee Chantrey)(2012-10-18 22:46:50) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code