GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-30 11:12:11 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002c GOODRAM rev.SAFM22.3 223,57GB Running: hqd60pzl.exe; Driver: C:\Users\UKASZ~1\AppData\Local\Temp\kgadraog.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe695838d0 5 bytes JMP 00007ffde96d0480 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe69583920 5 bytes JMP 00007ffde96d0470 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe69583a80 5 bytes JMP 00007ffde96d0360 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe69583ad0 5 bytes JMP 00007ffde96d0490 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe69583ae0 5 bytes JMP 00007ffde96d03d0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe69583b90 5 bytes JMP 00007ffde96d0310 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe69583bc0 5 bytes JMP 00007ffde96d03a0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe69583be0 5 bytes JMP 00007ffde96d0380 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe69583c20 5 bytes JMP 00007ffde96d02d0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe69583ca0 5 bytes JMP 00007ffde96d02c0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe69583cc0 5 bytes JMP 00007ffde96d0300 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe69583d00 5 bytes JMP 00007ffde96d03b0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00007ffe69583d40 5 bytes JMP 00007ffde96d0440 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe69583d50 1 byte JMP 00007ffde96d03e0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00007ffe69583d52 3 bytes {JMP 0xffffffff8014c690} .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe69583ea0 5 bytes JMP 00007ffde96d0220 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe695840a0 5 bytes JMP 00007ffde96d04a0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe695840d0 5 bytes JMP 00007ffde96d0390 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe69584200 5 bytes JMP 00007ffde96d02e0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe69584220 5 bytes JMP 00007ffde96d0340 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe69584290 5 bytes JMP 00007ffde96d0280 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe69584330 5 bytes JMP 00007ffde96d02a0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe69584350 5 bytes JMP 00007ffde96d03c0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe69584360 5 bytes JMP 00007ffde96d0320 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe69584410 5 bytes JMP 00007ffde96d0410 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe69584440 5 bytes JMP 00007ffde96d0230 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ffe69584650 5 bytes JMP 00007ffde96d03f0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe69584770 5 bytes JMP 00007ffde96d01d0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe69584840 5 bytes JMP 00007ffde96d0240 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe69584870 5 bytes JMP 00007ffde96d04b0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe69584880 5 bytes JMP 00007ffde96d04c0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe695848b0 5 bytes JMP 00007ffde96d02f0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe695848c0 1 byte JMP 00007ffde96d0350 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffe695848c2 3 bytes {JMP 0xffffffff8014ba90} .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe69584920 5 bytes JMP 00007ffde96d0290 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe69584980 5 bytes JMP 00007ffde96d02b0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe695849b0 5 bytes JMP 00007ffde96d0370 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe695849c0 5 bytes JMP 00007ffde96d0330 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe69584cd0 1 byte JMP 00007ffde96d0460 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00007ffe69584cd2 3 bytes {JMP 0xffffffff8014b790} .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00007ffe69584e30 5 bytes JMP 00007ffde96d0420 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe69584ee0 5 bytes JMP 00007ffde96d0250 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe69584ef0 5 bytes JMP 00007ffde96d0260 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe69584f10 5 bytes JMP 00007ffde96d0400 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe69585100 5 bytes JMP 00007ffde96d01e0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe69585110 5 bytes JMP 00007ffde96d0200 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe695851a0 5 bytes JMP 00007ffde96d01f0 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe69585210 5 bytes JMP 00007ffde96d0430 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe69585220 5 bytes JMP 00007ffde96d0450 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe69585230 5 bytes JMP 00007ffde96d0210 .text C:\Windows\system32\lsass.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe69585340 5 bytes JMP 00007ffde96d0270 ? C:\Windows\SYSTEM32\iertutil.dll [1956] entry point in ".rdata" section 0000000072855020 ? C:\Windows\SYSTEM32\NTASN1.dll [1956] entry point in ".rdata" section 000000006f8a5630 ? C:\Windows\SYSTEM32\iertutil.dll [2036] entry point in ".rdata" section 0000000072855020 ? C:\Windows\SYSTEM32\NTASN1.dll [1184] entry point in ".rdata" section 000000006f8a5630 ? C:\Windows\SYSTEM32\NTASN1.dll [6472] entry point in ".rdata" section 000000006f8a5630 ? C:\Windows\SYSTEM32\iertutil.dll [3992] entry point in ".rdata" section 0000000072855020 ? C:\Windows\SYSTEM32\NTASN1.dll [3992] entry point in ".rdata" section 000000006f8a5630 ? C:\Windows\SYSTEM32\iertutil.dll [4440] entry point in ".rdata" section 0000000072855020 ? C:\Windows\system32\apphelp.dll [4440] entry point in ".rdata" section 000000005fa10aa0 ? C:\Windows\system32\apphelp.dll [3252] entry point in ".rdata" section 000000005fa10aa0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\spoolsv.exe [1736:1852] 00007ffe3ec16160 Thread C:\Windows\System32\spoolsv.exe [1736:4044] 00007ffe3e981010 Thread C:\Windows\system32\svchost.exe [1772:2864] 00007ffe56193ce0 Thread C:\Windows\system32\svchost.exe [1772:5516] 00007ffe56192270 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [1528:2492] 00007ffe5cbdd910 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [1528:2508] 00007ffe5cbe0600 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [1528:2908] 00007ffe57b7502c Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [1528:4784] 00007ffe5cbdd910 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [1528:6488] 00007ffe5cbdd910 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [1528:6492] 00007ffe5cbdd910 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [1528:3584] 00007ffe5cbdd910 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [1528:7224] 00007ffe5cbdd910 Thread C:\Windows\system32\csrss.exe [4528:7836] fffff9613d567300 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1453492542 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\d07e353e9c65 ---- Files - GMER 2.2 ---- File C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.10240.17164_none_3de85d1738a75669 0 bytes File C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.10240.17164_none_3de85d1738a75669\activex.vch 736634 bytes File C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.10240.17164_none_3de85d1738a75669\Flash.ocx 21790712 bytes executable File C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.10240.17164_none_3de85d1738a75669\FlashPlayerApp.exe 828408 bytes executable File C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.10240.17164_none_3de85d1738a75669\FlashPlayerCPLApp.cpl 176632 bytes executable File C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.10240.17164_none_3de85d1738a75669\FlashUtil_ActiveX.dll 608248 bytes executable File C:\Windows\WinSxS\wow64_adobe-flash-for-windows_31bf3856ad364e35_10.0.10240.17164_none_3de85d1738a75669\FlashUtil_ActiveX.exe 1297400 bytes executable ---- EOF - GMER 2.2 ----