GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-08 08:00:53 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\0000001f Hitachi_HTS725016A9A362 rev.PCBOC70E 149,05GB Running: c1rkhqmz.exe; Driver: C:\Users\Lenovo\AppData\Local\Temp\kfwoapog.sys ---- Kernel code sections - GMER 2.2 ---- ? \SystemRoot\system32\ntoskrnl.exe kernel module suspicious modification .text C:\WINDOWS\system32\DRIVERS\atikmdag.sys section is writeable [0x98A61000, 0x188C56, 0xE8000020] ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 volume.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 iorate.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 volume.sys AttachedDevice \FileSystem\fastfat \Fat FLTMGR.SYS ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1553770040 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xC5 0xC8 0xA8 0x09 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xC5 0x30 0x6D 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xC5 0x60 0xE4 0xA7 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\4@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\4@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\5@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\5@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate@LastTaskOperationHandle 36 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@604E44CE 7 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{80790D70-DDA8-11E3-BE6E-806E6F6E6963} 9361457880 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome?{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Maxthon\Bin\Maxthon.exe? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome 0x06 0x43 0x53 0x6D ... ---- EOF - GMER 2.2 ----