GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-25 13:10:19 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002c Hitachi_HDS721050CLA660 rev.JP2OA41A 465,76GB Running: zk64gfp2.exe; Driver: C:\Users\bgm\AppData\Local\Temp\pfrdrkod.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\SYSTEM32\iertutil.dll [5392] entry point in ".rdata" section 0000000073ebd3c0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [8112] entry point in ".rdata" section 0000000070e5bb10 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8112] entry point in ".rdata" section 0000000073ebd3c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4552] entry point in ".rdata" section 0000000073ebd3c0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4552] entry point in ".rdata" section 0000000070e5bb10 ? C:\WINDOWS\system32\apphelp.dll [4828] entry point in ".rdata" section 0000000074160380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [568:636] fffff961dd5b4030 Thread C:\WINDOWS\system32\svchost.exe [784:904] 00007ff8ce1ca8a0 Thread C:\WINDOWS\system32\svchost.exe [784:912] 00007ff8ce1c9c70 Thread C:\WINDOWS\system32\svchost.exe [784:928] 00007ff8cde28d90 Thread C:\WINDOWS\system32\dwm.exe [952:1292] 00007ff8cc137450 Thread C:\WINDOWS\system32\svchost.exe [972:2192] 00007ff8c7ba9670 Thread C:\WINDOWS\system32\svchost.exe [972:3460] 00007ff8c7ba5a40 Thread C:\WINDOWS\system32\svchost.exe [972:796] 00007ff8c775c040 Thread C:\WINDOWS\system32\svchost.exe [972:4608] 00007ff8c775c040 Thread C:\WINDOWS\system32\svchost.exe [972:6420] 00007ff8c775c040 Thread C:\WINDOWS\system32\svchost.exe [972:8124] 00007ff8c7b9e0e0 Thread C:\WINDOWS\system32\svchost.exe [972:2464] 00007ff8c79d94e0 Thread C:\WINDOWS\system32\svchost.exe [972:4180] 00007ff8c79cbe40 Thread C:\WINDOWS\system32\svchost.exe [444:2724] 00007ff8c47f1a50 Thread C:\WINDOWS\system32\svchost.exe [444:2836] 00007ff8c43f4ba0 Thread C:\WINDOWS\system32\svchost.exe [444:3576] 00007ff8c8d62750 Thread C:\WINDOWS\system32\svchost.exe [444:5284] 00007ff8ca8e1040 Thread C:\WINDOWS\system32\svchost.exe [444:5288] 00007ff8bc0e4c50 Thread C:\WINDOWS\system32\svchost.exe [444:5292] 00007ff8bc0e4c50 Thread C:\WINDOWS\system32\svchost.exe [444:3376] 00007ff8bce43f10 Thread C:\WINDOWS\system32\svchost.exe [444:5976] 00007ff8bce2e2a0 Thread C:\WINDOWS\system32\svchost.exe [444:508] 00007ff8bbd53320 Thread C:\WINDOWS\system32\svchost.exe [444:6136] 00007ff8bb8c7b00 Thread C:\WINDOWS\system32\svchost.exe [444:5664] 00007ff8bb808050 Thread C:\WINDOWS\system32\svchost.exe [444:4320] 00007ff8bb906ba0 Thread C:\WINDOWS\system32\svchost.exe [444:2600] 00007ff8bb90a8d0 Thread C:\WINDOWS\system32\svchost.exe [444:6080] 00007ff8aa1022e0 Thread C:\WINDOWS\system32\svchost.exe [444:6304] 00007ff8aa1022e0 Thread C:\WINDOWS\system32\svchost.exe [444:2488] 00007ff8aa1022e0 Thread C:\WINDOWS\system32\svchost.exe [1044:1164] 00007ff8cce41440 Thread C:\WINDOWS\system32\svchost.exe [1044:2900] 00007ff8c3c9c550 Thread C:\WINDOWS\system32\svchost.exe [1044:2904] 00007ff8c3c9c530 Thread C:\WINDOWS\system32\svchost.exe [1044:2960] 00007ff8c7b66320 Thread C:\WINDOWS\system32\svchost.exe [1044:2964] 00007ff8c7b786e0 Thread C:\WINDOWS\System32\svchost.exe [1048:1540] 00007ff8c9c810a0 Thread C:\WINDOWS\System32\svchost.exe [1048:1612] 00007ff8c9c354a0 Thread C:\WINDOWS\System32\svchost.exe [1048:3004] 00007ff8c7b66320 Thread C:\WINDOWS\System32\svchost.exe [1048:4868] 00007ff8ade69dd0 Thread C:\WINDOWS\System32\svchost.exe [1048:5816] 00007ff8ade62450 Thread C:\WINDOWS\system32\svchost.exe [1132:5652] 00007ff8b690b590 Thread C:\WINDOWS\system32\svchost.exe [1132:1972] 00007ff8c9b82a20 Thread C:\WINDOWS\system32\svchost.exe [1132:1636] 00007ff8c9b82610 Thread C:\WINDOWS\system32\svchost.exe [1240:1264] 00007ff8cd2d2a30 Thread C:\WINDOWS\system32\svchost.exe [1240:1664] 00007ff8ce826b60 Thread C:\WINDOWS\system32\svchost.exe [1240:1708] 00007ff8ce826b60 Thread C:\WINDOWS\system32\svchost.exe [1240:1716] 00007ff8ce826b60 Thread C:\WINDOWS\system32\svchost.exe [1240:1728] 00007ff8c96fe110 Thread C:\WINDOWS\system32\svchost.exe [1240:1736] 00007ff8c9a882e0 Thread C:\WINDOWS\system32\svchost.exe [1240:1848] 00007ff8c96ffc10 Thread C:\WINDOWS\system32\svchost.exe [1240:1852] 00007ff8c96ee720 Thread C:\WINDOWS\system32\svchost.exe [1240:1856] 00007ff8c96ff120 Thread C:\WINDOWS\system32\svchost.exe [1240:1908] 00007ff8c95c6aa0 Thread C:\WINDOWS\system32\svchost.exe [1240:1912] 00007ff8c95cb0c0 Thread C:\WINDOWS\system32\svchost.exe [1240:2516] 00007ff8c6a21240 Thread C:\WINDOWS\system32\svchost.exe [1240:2520] 00007ff8c6a39490 Thread C:\WINDOWS\system32\svchost.exe [1240:2524] 00007ff8c69f29b0 Thread C:\WINDOWS\system32\svchost.exe [1240:3984] 00007ff8c1bc3d30 Thread C:\WINDOWS\system32\svchost.exe [1240:4928] 00007ff8c1bc22b0 Thread [1428:1596] 00007ff8ca0c9230 Thread C:\WINDOWS\system32\svchost.exe [1460:1488] 00007ff8c9fccc70 Thread C:\WINDOWS\system32\svchost.exe [1460:1520] 00007ff8c9fcd540 Thread C:\WINDOWS\system32\svchost.exe [1460:1524] 00007ff8c9fcdb50 Thread C:\WINDOWS\system32\svchost.exe [1460:1528] 00007ff8c9fcbed0 Thread C:\WINDOWS\system32\svchost.exe [1460:1684] 00007ff8c999a840 Thread C:\WINDOWS\system32\svchost.exe [1460:1200] 00007ff8c907fd10 Thread C:\WINDOWS\system32\svchost.exe [1460:2912] 00007ff8c8d62750 Thread C:\WINDOWS\system32\svchost.exe [1460:3288] 00007ff8c9fcdd00 Thread C:\WINDOWS\system32\svchost.exe [1460:3312] 00007ff8c9fc6a30 Thread C:\WINDOWS\system32\svchost.exe [1460:5640] 00007ff8bdfc6f80 Thread C:\WINDOWS\system32\svchost.exe [1460:5280] 00007ff8bdfc6f80 Thread C:\WINDOWS\system32\svchost.exe [1460:192] 00007ff8bdfc6f80 Thread C:\WINDOWS\system32\svchost.exe [1460:3408] 00007ff8bdfc6f80 Thread C:\WINDOWS\system32\svchost.exe [1460:4468] 00007ff8bb86c900 Thread C:\WINDOWS\system32\svchost.exe [1460:4240] 00007ff8c9ba1480 Thread C:\WINDOWS\system32\svchost.exe [1460:6124] 00007ff8c9a12fd0 Thread C:\WINDOWS\system32\svchost.exe [1460:5660] 00007ff8c9a01a20 Thread C:\WINDOWS\system32\svchost.exe [1460:4764] 00007ff8c775c040 Thread C:\WINDOWS\system32\svchost.exe [1460:7796] 00007ff8c9ba1d70 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1224:932] 000000000049de9c Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1224:2552] 0000000000404904 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1224:2560] 0000000000404904 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1224:2588] 0000000000404904 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1224:2592] 0000000000404904 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:2216] 000000000050779e Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:3516] 00000000004c88f0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:3540] 000000000040a7a0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:3548] 0000000009e00850 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:3868] 0000000000470560 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:3880] 00000000004ba500 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:3892] 00000000004d1540 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:3896] 00000000004d1540 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:476] 00000000004ba500 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:5712] 00000000004717e0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:188] 00000000004d1540 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:2484] 00000000004d1540 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2212:7320] 00000000004d1540 Thread C:\WINDOWS\system32\taskhostw.exe [3832:2368] 00007ff8c1b92020 Thread C:\WINDOWS\system32\taskhostw.exe [3832:3456] 00007ff8bdf91230 Thread C:\WINDOWS\system32\taskhostw.exe [3832:4000] 00007ff8d1985300 Thread C:\WINDOWS\system32\taskhostw.exe [3832:3996] 00007ff8cdbb30f0 Thread C:\WINDOWS\system32\taskhostw.exe [3832:5544] 00007ff8c775c040 Thread C:\WINDOWS\system32\sihost.exe [3824:6780] 00007ff8cdcc87b0 Thread C:\WINDOWS\system32\sihost.exe [3824:4672] 00007ff8cdcc87b0 Thread C:\WINDOWS\system32\sihost.exe [3824:2328] 00007ff8cdcc87b0 Thread C:\Windows\System32\RuntimeBroker.exe [4456:32] 00007ff8cdcc87b0 Thread C:\Windows\System32\RuntimeBroker.exe [4456:5320] 00007ff8b6156f00 Thread C:\Windows\System32\RuntimeBroker.exe [4456:6952] 00007ff8b6156f00 Thread C:\Windows\System32\RuntimeBroker.exe [4456:7336] 00007ff8cdb30880 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [5516:5520] 0000000000456a4a Thread C:\WINDOWS\SYSTEM32\ntdll.dll [5516:5576] 0000000000459b19 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [5516:5580] 0000000000459b19 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [8112:8116] 00000000003326c2 Thread C:\WINDOWS\explorer.exe [3912:8] 00007ff8ceec3e80 Thread C:\WINDOWS\explorer.exe [3912:3920] 00007ff8c99f1c40 Thread C:\WINDOWS\explorer.exe [3912:7060] 00007ff8b7f539e0 Thread C:\WINDOWS\explorer.exe [3912:5780] 00007ff8b034d850 Thread C:\WINDOWS\explorer.exe [3912:5880] 00007ff8cdbb30f0 Thread C:\WINDOWS\explorer.exe [3912:7960] 00007ff8ca0c9230 Thread C:\WINDOWS\explorer.exe [3912:4064] 00007ff8b7f60250 Thread C:\WINDOWS\explorer.exe [3912:8072] 00007ff8b7f60250 Thread C:\WINDOWS\explorer.exe [3912:6532] 00007ff8b7f60250 Thread C:\WINDOWS\explorer.exe [3912:4160] 00007ff8b7f60250 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ?????????????????????????????r?\?3?????????????\???????????????????????????????????????????????????????????\??????? ???\??? ??? ???\??? ??? ???\???\???\??????? ???\???\??? ???\?????:? ??? ???????????\???????????????????????????????????????????????????????\???????????????????\???????????^???????^???????c???????????????????????c???????????????????????????c?????????????A???????????????????????????????????????????????????C?????????c???????????????????????????????????c???????????????c????\System Volume Information\FVE2.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.*????\System Volume Information\FVE2.{c9ca54a3-6983-46b7-8684-a7e5e23499e3}??????\System Volume Information\FVE2.{24e6f0ae-6a00-4f73-984b-75ce9942852d}????????????????????e?????\System Volume Information\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}??????? ??????????????o???\System Volume Information\FVE2.{aff97bac-a69b-45da-aba1-2cfbce434750}.*????? ??????????????????\System Volume Information\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}.*???????????????????l??? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1177236417 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xF8 0x70 0x59 0x68 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xF8 0xD8 0x1D 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xF8 0x08 0x95 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x57 0x2F 0x54 0x01 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 441 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Microsoft.Windows.ControlPanel? ---- Files - GMER 2.2 ---- File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f6c 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f6d 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f6e 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f6f 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f70 32998 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f71 20760 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f72 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f73 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f74 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f75 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f76 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f77 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f78 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f79 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f7a 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f7b 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f7c 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f7d 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f7e 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f5f 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f60 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f61 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f62 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f65 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f68 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f69 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f6a 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f6b 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f7f 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f93 119422 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f94 130465 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f95 280219 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f96 239871 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f97 64970 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f98 54528 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f99 21141 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002f9b 86394 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002feb 74038 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002fed 18382 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002ffa 82736 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002ffb 39702 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002ffe 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002fff 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003000 63419 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003001 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003004 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003005 25981 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003006 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003007 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003008 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003009 33751 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_00300a 36790 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_00300b 21508 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_00300c 21105 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_00300f 24996 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003011 21862 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003012 16872 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003013 29088 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003015 30405 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003016 22001 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003017 27182 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003018 221059 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_003019 400974 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_00301a 63675 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_00301b 0 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_00301c 80851 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_002ff9 21938 bytes File C:\Users\bgm\AppData\Local\Opera Software\Opera Developer\Cache\f_00300d 0 bytes ---- EOF - GMER 2.2 ----