GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-19 15:03:51 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d ST1000LM024_HN-M101MBB rev.2AR10002 931,51GB Running: geq85gpp.exe; Driver: C:\Users\Oskar\AppData\Local\Temp\ugtdrfoc.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [9848:6440] ffffb9b1e8606c20 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] CDPUserSvc_3e6120 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_3e6120 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_3e6120 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_3e6120 <-- ROOTKIT !!! Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_3e6120 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_3e6120 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] WpnUserService_3e6120 <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance@ActiveShutdownDCL C:\WINDOWS\System32\WDI\LogFiles\WdiContextLog.etl.003 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SEM03240_00_07DC_50^0B746CAD6681E27BE5A0E4466F3FDB32@Timestamp 0xDC 0x1C 0x35 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\c1f0e6da-a4ee-406f-8e7b-74dcc40bd4a2\238c9fa8-0aad-41ed-83f4-97be242c8f20\29f6c1db-86da-48c5-9fdb-f2b67b1f44da@ACSettingIndex 10800 Reg HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\c1f0e6da-a4ee-406f-8e7b-74dcc40bd4a2\238c9fa8-0aad-41ed-83f4-97be242c8f20\9d7815a6-7ee4-497e-8888-515a05f02364@ACSettingIndex 10800 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 11941911 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 6677 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 6251 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 19180 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 1013 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 1866 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 7687 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeLibraryInitTime 229 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeInitTime 882 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 741 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 8799 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 638 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 231 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAllocateTime 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 9554 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 9609 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 17666 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 9600 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 19169 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 7788 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 166 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberSharedBufferTime 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 15376 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 7251 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeInitTime 176 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeSharedBufferTime 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 1461 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 93 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 598101 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0xC3 0xFE 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 34942 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0xCE 0x46 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 108 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumTime 146 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumIoTime 29 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumTime 119 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumIoTime 41 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 5580 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 842 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 8098 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x9D 0xC1 0xA8 0x62 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\1867b072d57c Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\1867b072d57c@ac9b0a14ba75 0x3E 0x06 0xBF 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120@DisplayName CDPUserSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{52DBF501-C77A-4DC7-8375-2276F5484676}@DefunctTimestamp 0xED 0xA5 0xF2 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120@DisplayName MessagingService_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120@DisplayName Sync Host_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120@DisplayName Contact Data_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5231 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 142 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98bf88b5-8cb4-4ba0-b8ca-ce5e73535c42}@LeaseObtainedTime 1492542560 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98bf88b5-8cb4-4ba0-b8ca-ce5e73535c42}@T1 1492585760 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98bf88b5-8cb4-4ba0-b8ca-ce5e73535c42}@T2 1492618160 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98bf88b5-8cb4-4ba0-b8ca-ce5e73535c42}@LeaseTerminatesTime 1492628960 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120@DisplayName User Data Storage_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120@DisplayName User Data Access_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x43 0x92 0xB3 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x43 0xFA 0x77 0x74 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x43 0x2A 0xEF 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120@DisplayName Windows Push Notifications User Service_3e6120 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3e6120 Reg HKLM\SYSTEM\Maps@LastMapUpdateCheck 0xD9 0xFA 0xB9 0xB7 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{82D3138F-2A9D-4AB5-8E11-A69218056645}@LastAccessedTime 0x10 0xA5 0x37 0xF8 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{82D3138F-2A9D-4AB5-8E11-A69218056645}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_f32a28561fa1edf333e0a2c628be36cb785687cc_00000000_cab_0ae1875a Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0xBE 0x01 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----