GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-28 10:05:23 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b ST332031 rev.SC14 298.09GB Running: xhsnkhe1.exe; Driver: C:\Users\Maggie\AppData\Local\Temp\kfldypoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5500] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa681365c0 16 bytes {MOV RAX, 0x7ffa50527214; JMP RAX} ? C:\windows\system32\apphelp.dll [5228] entry point in ".rdata" section 000000007367f7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5324] @ C:\windows\SYSTEM32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffa3c871ca8] C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\windows\system32\csrss.exe [684:724] ffffc79d993a6c20 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:3464] 00007ffa64a359c0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:3468] 00007ffa5c483990 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:3480] 00007ffa5d8e48e0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:3492] 00007ffa64a359c0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:3496] 00007ffa5c483990 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:3592] 00007ffa57ede010 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:3628] 00007ffa5c309310 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:3632] 00007ffa5c309310 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:3636] 00007ffa5c309310 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:3640] 00007ffa5c309310 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:4276] 00007ffa64a359c0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:4284] 00007ffa5c483990 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:4360] 00007ffa57ede010 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:5388] 00007ffa64a370d0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:5440] 00007ffa4f79f720 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:5416] 00007ffa62f611a0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:5376] 00007ffa5488caf0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:4740] 00007ffa4f829780 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:2820] 00007ffa5488caf0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:1624] 00007ffa5488caf0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:4720] 00007ffa49134c90 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:5124] 00007ffa5c349de0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:4556] 00007ffa5c349de0 Thread C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe [3224:5792] 00007ffa5c349de0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:3408] 00007ffa64a359c0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4116] 00007ffa5d8e48e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4128] 00007ffa5c483990 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4140] 00007ffa4d6c54a0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4152] 00007ffa64a370d0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4228] 00007ffa57ede010 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4236] 00007ffa62f611a0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4496] 00007ffa4aa1cde0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4500] 00007ffa4aa9af50 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4504] 00007ffa4aa5a3a0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4544] 00007ffa4aa9af50 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4596] 00007ffa4aaa29d0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4468] 00007ffa4aa9af50 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:4872] 00007ffa645f2a50 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [3660:472] 00007ffa5c349de0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -534831747 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS6463458e-74d2-4570-b7e4-c5dd0de6f189 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x2E 0xDF 0x13 0x28 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x2E 0x47 0xD8 0x89 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x2E 0x77 0x4F 0xC6 ... ---- EOF - GMER 2.2 ----