GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-04 21:26:21 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-d SAMSUNG_SSD_830_Series rev.CXM03B1Q 119,24GB Running: 6c3ixej8.exe; Driver: C:\Users\lukasz\AppData\Local\Temp\pfxdqkoc.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\system32\apphelp.dll [4040] entry point in ".rdata" section 000000006e580380 ? C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\DiagnosticsHub\Collector\amd64\DiagnosticsHub.StandardCollector.Proxy.dll [6112] entry point in ".orpc" section 00007fff5f411159 ? C:\Windows\system32\wbem\wbemsvc.dll [8084] entry point in ".rdata" section 000000006f068fa0 ? C:\Windows\SYSTEM32\iertutil.dll [8084] entry point in ".rdata" section 000000006c12caf0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [8084] entry point in ".rdata" section 000000006bd4bc40 ? C:\Windows\SYSTEM32\apphelp.dll [8084] entry point in ".rdata" section 000000006e580380 ? C:\Windows\system32\mssprxy.dll [8084] entry point in ".rdata" section 000000006cdea4e0 ? C:\Windows\SYSTEM32\iertutil.dll [7228] entry point in ".rdata" section 000000006c12caf0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [6784] entry point in ".rdata" section 000000006bd4bc40 ? C:\Windows\system32\apphelp.dll [7140] entry point in ".rdata" section 000000006e580380 ? C:\Windows\SYSTEM32\ActXPrxy.dll [7140] entry point in ".rdata" section 000000006bd4bc40 ? C:\Windows\SYSTEM32\iertutil.dll [7140] entry point in ".rdata" section 000000006c12caf0 ? C:\Windows\system32\mssprxy.dll [7140] entry point in ".rdata" section 000000006cdea4e0 ? C:\Windows\system32\apphelp.dll [7512] entry point in ".rdata" section 000000006e580380 ? C:\Windows\system32\apphelp.dll [6972] entry point in ".rdata" section 000000006e580380 ? C:\Windows\system32\apphelp.dll [868] entry point in ".rdata" section 000000006e580380 ? C:\Windows\system32\apphelp.dll [7508] entry point in ".rdata" section 000000006e580380 ? C:\Windows\system32\apphelp.dll [1196] entry point in ".rdata" section 000000006e580380 ? C:\Windows\system32\apphelp.dll [5488] entry point in ".rdata" section 000000006e580380 ? C:\Windows\system32\apphelp.dll [5716] entry point in ".rdata" section 000000006e580380 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [8320:8876] fffff96124cb4060 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AOC2343ADGACOC000348_31_07DA_4D^799E233AA27DF830AD67758E878BF43E@Timestamp 0x35 0x3D 0x03 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1942239148 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 22263 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 28727 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 354 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 509 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 22620 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 445 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 22682 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 168 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeMapTime 10 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 23129 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 23153 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 27286 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 23152 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 28717 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 3170 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 9 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 7774 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 1757 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeSharedBufferTime 15 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 1404 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 26 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 417575 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x07 0x7A 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 31544 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0xC6 0x3E 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 226 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCompressRate 58 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 348 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 143 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumTime 88 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumIoTime 9 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumTime 44 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 764 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 505 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 4158 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x0E 0x25 0x2C 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{2CA79EEA-0E41-4F71-B004-BBF324051A43}@DefunctTimestamp 0x09 0x09 0x02 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-6e-1f-63-c3-84@ClientLocalPort 50357 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-6e-1f-63-c3-84@AddressCreationTimestamp 0x44 0x9A 0x12 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-6e-1f-63-c3-84@TeredoAddress 2001:0:5ef5:79fb:c72:3b4a:a1b1:6be1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7@DisplayName Us?uga wiadomo?ci_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_1bd0de7@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_1bd0de7@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_1bd0de7@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_1bd0de7@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_1bd0de7@DisplayName Synchronizuj hosta_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_1bd0de7@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_1bd0de7\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_1bd0de7\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_1bd0de7@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_1bd0de7@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_1bd0de7@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_1bd0de7@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_1bd0de7@DisplayName Dane kontaktowe_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_1bd0de7@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_1bd0de7\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_1bd0de7\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1509 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 139 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53219f62-2092-42c0-8ab2-0a7cd0120ffe}@DhcpIPAddress 192.168.0.103 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53219f62-2092-42c0-8ab2-0a7cd0120ffe}@LeaseObtainedTime 1459772764 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53219f62-2092-42c0-8ab2-0a7cd0120ffe}@T1 1459776364 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53219f62-2092-42c0-8ab2-0a7cd0120ffe}@T2 1459779064 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53219f62-2092-42c0-8ab2-0a7cd0120ffe}@LeaseTerminatesTime 1459779964 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1bd0de7@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1bd0de7@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1bd0de7@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1bd0de7@ImagePath C:\Windows\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1bd0de7@DisplayName Magazyn danych u?ytkownika_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1bd0de7@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1bd0de7\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1bd0de7\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_1bd0de7@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_1bd0de7@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_1bd0de7@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_1bd0de7@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_1bd0de7@DisplayName Dost?p do danych u?ytkownika_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_1bd0de7@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_1bd0de7\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_1bd0de7\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_1bd0de7 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA9 0xD9 0xDA 0x41 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA9 0x41 0x9F 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA9 0x71 0x16 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xF7 0x34 0x97 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters\Wdf@TimeOfLastTelemetryLog 0x7F 0x07 0xCC 0xEB ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome? ---- Files - GMER 2.2 ---- File C:\Users\lukasz\AppData\Local\Microsoft\Office\OTeleData_1808_5.etl 4096 bytes ---- EOF - GMER 2.2 ----