GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-13 12:45:55 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\00000034 OCZ-VERTEX4 rev.1.5 119,24GB Running: rmi1c9v9.exe; Driver: C:\Users\Grzegorz\AppData\Local\Temp\kfxdiaow.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [696:764] ffffb41e5db36c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xAD 0x6A 0x87 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x11 0xEB 0xE1 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xAD 0x6A 0x87 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x11 0xEB 0xE1 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 66 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\ACR01A6LNZ080064200_1E_07DA_B6^683398E4901F047B9A110268894C7970@Timestamp 0x94 0xAD 0x3D 0xF3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 848 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\Grzegorz\AppData\Local\Temp\nsd4397.tmp\registry.dll??\??\C:\Users\Grzegorz\AppData\Local\Temp\nsd4397.tmp\stack.dll??\??\C:\Users\Grzegorz\AppData\Local\Temp\nsd4397.tmp\xml.dll??\??\C:\Users\Grzegorz\AppData\Local\Temp\nsd4397.tmp\??\??\C:\Users\Grzegorz\AppData\Local\Temp\nsjD131.tmp\stack.dll??\??\C:\Users\Grzegorz\AppData\Local\Temp\nsjD131.tmp\??\??\C:\Users\Grzegorz\AppData\Local\Temp\nsoB839.tmp\stack.dll??\??\C:\Users\Grzegorz\AppData\Local\Temp\nsoB839.tmp\xml.dll??\??\C:\Users\Grzegorz\AppData\Local\Temp\nsoB839.tmp\??\??\C:\Users\Grzegorz\AppData\Local\Temp\nsbA5CB.tmp\xml.dll??\??\C:\Users\Grzegorz\AppData\Local\Temp\nsbA5CB.tmp\??\??\C:\Users\Grzegorz\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\Grzegorz\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\Grzegorz\AppData\Local\Temp\~nsu.tmp\Bu_.exe??\??\C:\Users\Grzegorz\AppData\Local\Temp\~nsu.tmp??\??\C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe??\??\C:\Program Files\Reimage\Reimage Protector\??\??\C:\Program Files\Reimage Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 5110065 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -945966308 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 67 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 491476689 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 12216 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 11048 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID d8b6c369-da43-455a-bda2-60ef485 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{348a1c68-06a9-4de4-987a-2f81fb544fad}@LastProbeTime 1481582940 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{37136D51-2D51-4AE3-ACC4-CCD5A30A9D41} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{37136D51-2D51-4AE3-ACC4-CCD5A30A9D41}@InterfaceName Reusable ISATAP Interface {37136D51-2D51-4AE3-ACC4-CCD5A30A9D41} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{37136D51-2D51-4AE3-ACC4-CCD5A30A9D41}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{37136D51-2D51-4AE3-ACC4-CCD5A30A9D41}@DeviceInstancePath SWD\IP_TUNNEL_VBUS\ISATAP_0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{37136D51-2D51-4AE3-ACC4-CCD5A30A9D41}@DefunctTimestamp 0x71 0xC2 0x4F 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{E69AC7CC-39B5-4860-94CD-8FE4B51DE4AF}@DefunctTimestamp 0x69 0xD0 0x4F 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 6228 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1403 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 65 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{40204314-ca6a-4821-885e-3c753cef8d19}@LeaseObtainedTime 1481627514 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{40204314-ca6a-4821-885e-3c753cef8d19}@T1 1481629314 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{40204314-ca6a-4821-885e-3c753cef8d19}@T2 1481630664 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{40204314-ca6a-4821-885e-3c753cef8d19}@LeaseTerminatesTime 1481631114 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Skype.Desktop.Application?E7CF176E110C211B?{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe?windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel?Microsoft.Windows.Photos_8wekyb3d8bbwe!App?C:\KMPlayer\KMPlayer.exe? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Skype.Desktop.Application 0x46 0xDA 0x36 0x9A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0xF1 0x02 0x74 0x8A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe 0xCE 0x68 0x6C 0x17 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel 0xDE 0x0E 0xE8 0x91 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Microsoft.Windows.Photos_8wekyb3d8bbwe!App 0x15 0xCE 0x65 0xC8 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@C:\KMPlayer\KMPlayer.exe 0xFD 0x67 0xD9 0x5A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A128526-1087-4C76-8C1C-6EFD6FE790C2}@LastAccessedTime 0x60 0x7D 0xAC 0x36 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{4A128526-1087-4C76-8C1C-6EFD6FE790C2}@LaunchCount 5 ---- EOF - GMER 2.2 ----