GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-29 17:54:13 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001d WDC_WD10JPCX-24UE4T0 rev.01.01A01 931,51GB Running: kp1y0ebv.exe; Driver: C:\Users\Andrzej\AppData\Local\Temp\pfkdqpob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [1280:2536] fffff961ddf94060 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_ad39ec <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_ad39ec <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_ad39ec <-- ROOTKIT !!! Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_ad39ec <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_ad39ec <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD033A0_00_07DB_82^0C347888ABDF2AA846DFF8D24673327F@Timestamp 0x96 0x36 0x36 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 994997578 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 3490 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 3469 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 12181 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 225 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 951 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 3727 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 497 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 4141 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 324 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 196 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 4679 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 4714 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 11815 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 4701 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 12176 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 6886 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 77 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 11903 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 6450 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 339 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 57 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 388707 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x4B 0x7D 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 33189 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x44 0x30 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 101 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 84 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumTime 146 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumIoTime 26 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumIoTime 50 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 983 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 408 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x08 0x5F 0x88 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 7120 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\342387f030a0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{50AC7E54-9678-4FB4-B1C4-A405D22482DF}@DefunctTimestamp 0xDC 0x76 0x23 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec@DisplayName Us?uga wiadomo?ci_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_ad39ec@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_ad39ec@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_ad39ec@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_ad39ec@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_ad39ec@DisplayName Synchronizuj hosta_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_ad39ec@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_ad39ec\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_ad39ec\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_ad39ec@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_ad39ec@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_ad39ec@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_ad39ec@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_ad39ec@DisplayName Dane kontaktowe_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_ad39ec@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_ad39ec\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_ad39ec\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1105 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 70 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 807 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@LeaseObtainedTime 1461941984 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@T1 1461985184 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@T2 1462017584 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@LeaseTerminatesTime 1462028384 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_ad39ec@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_ad39ec@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_ad39ec@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_ad39ec@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_ad39ec@DisplayName Magazyn danych u?ytkownika_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_ad39ec@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_ad39ec\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_ad39ec\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_ad39ec@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_ad39ec@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_ad39ec@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_ad39ec@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_ad39ec@DisplayName Dost?p do danych u?ytkownika_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_ad39ec@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_ad39ec\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_ad39ec\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_ad39ec Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA7 0xFA 0xB7 0x34 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA7 0x62 0x7C 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA7 0x92 0xF3 0xD2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x59 0xFE 0x91 0x02 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@CloudSettingsDirtyMarks 34 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xAF 0x81 0xBC 0x78 ... Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0x9E 0x01 0x01 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----