GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-10 23:31:36 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 WDC_WD5001AALS-00E3A0 rev.05.01D05 465,76GB Running: 66qyuklt.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pxdyypow.sys ---- User code sections - GMER 2.1 ---- .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[1852] C:\WINDOWS\system32\OLEAUT32.dll!SysFreeString 00007fface1f1720 5 bytes JMP 00007ffb8fcd03b8 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[1852] C:\WINDOWS\system32\OLEAUT32.dll!VariantClear 00007fface1f1810 5 bytes JMP 00007ffb8fcd0478 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[1852] C:\WINDOWS\system32\OLEAUT32.dll!SysAllocStringByteLen 00007fface1f2300 5 bytes JMP 00007ffb8fcd0358 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[1852] C:\WINDOWS\system32\OLEAUT32.dll!VariantChangeType 00007fface204260 10 bytes JMP 00007ffb8fcd0418 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[1852] C:\WINDOWS\system32\USER32.dll!BeginPaint 00007ffacfcd1070 8 bytes JMP 00007ffb8fcd0238 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[1852] C:\WINDOWS\system32\USER32.dll!ValidateRect 00007ffacfcd1360 8 bytes JMP 00007ffb8fcd0298 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[1852] C:\WINDOWS\system32\USER32.dll!RegisterClipboardFormatW 00007ffacfcd4b20 9 bytes JMP 00007ffb8fcd01d8 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[1852] C:\WINDOWS\system32\USER32.dll!RegisterClipboardFormatA 00007ffacfcda950 6 bytes JMP 00007ffb8fcd0178 .text C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE[1852] C:\WINDOWS\system32\SHELL32.dll!SHParseDisplayName 00007fface36c6e0 5 bytes JMP 00007ffb8fcd04d8 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [572:596] fffff960008612d0 Thread [2176:2908] 00007ffad0b98470 Thread C:\WINDOWS\SysWOW64\msiexec.exe [5552:248] 000000007f0f392e ---- Processes - GMER 2.1 ---- Process C:\Users\Mateusz\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe (*** suspicious ***) @ C:\Users\Mateusz\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [2008] (Microsoft® Volume Shadow Copy Service/Microsoft Corporation)(2015-06-27 13:53:57) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xC9 0x77 0xB4 0xD3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x1B 0x4B 0xBA 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x89 0x63 0xC0 0xD3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xCF 0x36 0xC6 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 503 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\GSM577B122135_09_07DA_DD^640AE5B0A3C3CCDAD20659870F2A9B9A@Timestamp 0x66 0x8A 0xA9 0xD4 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 680 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 4522109 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1781290849 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 516 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 447507074 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 25504 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 5653f73f-96ca-4063-82b6-0ff307e Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{a6ce4835-e4cb-4610-9b89-6f57492e76fc}@LastProbeTime 1436561688 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-1d-d1-a3-48-a1@AddressCreationTimestamp 0xFB 0xA5 0xB0 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-1d-d1-a3-48-a1@ClientLocalPort 50613 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-1d-d1-a3-48-a1@TeredoAddress 2001:0:9d38:6abd:10eb:2ffc:a763:7f1a Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-1d-d1-a3-48-a1@UPnPExternalPort 50613 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?lip ?10 ?15, 08:56:33??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 21516 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 3951 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-200|Desc=@%systemroot%\system32\provsvc.dll,-201|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|RPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-203|Desc=@%systemroot%\system32\provsvc.dll,-204|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|LPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-205|Desc=@%systemroot%\system32\provsvc.dll,-206|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 505 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CEF72625-EFF1-4C04-BCF9-90AA0F2B855B}@LeaseObtainedTime 1436554488 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CEF72625-EFF1-4C04-BCF9-90AA0F2B855B}@T1 1436556288 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CEF72625-EFF1-4C04-BCF9-90AA0F2B855B}@T2 1436557638 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CEF72625-EFF1-4C04-BCF9-90AA0F2B855B}@LeaseTerminatesTime 1436558088 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore@Count 122 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore@Blocked 122 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\iexplore@Count 123 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\iexplore@Count 123 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\iexplore@Blocked 119 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\iexplore@Count 249 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AF949550-9094-4807-95EC-D1C317803333}\iexplore@Count 125 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 2026 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0xBE 0x01 0x0C 0x21 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xC5 0xDE 0x92 0x8A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xC5 0xDE 0x92 0x8A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 15927 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 263 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xC5 0xDE 0x92 0x8A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 13832 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 263 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xC5 0xDE 0x92 0x8A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x94 0x41 0x16 0x8B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63572151992807%3bID%3d1745DEA6C3AF646!4714%3bLR%3d63572150792733%3bEP%3d4%3bTD%3dTrue%3bSO%3d0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x7E 0x55 0x27 0xC5 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 2 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\Users\Mateusz\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_Redefine.ipla_3._311ddca145202f3ccfbc56de5db96d10396ce_19ace741_17358b31 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----