GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-29 20:49:52 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001d WDC_WD10JPCX-24UE4T0 rev.01.01A01 931,51GB Running: 277y3e5i.exe; Driver: C:\Users\Andrzej\AppData\Local\Temp\pfkdqpob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [712:864] fffff9614ed94060 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden *** ) [AUTO] WinDefend <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x99 0x9B 0x76 0xDD ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xFE 0x39 0x26 0x0C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x99 0x9B 0x76 0xDD ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xFE 0x39 0x26 0x0C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 15 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD033A0_00_07DB_82^0C347888ABDF2AA846DFF8D24673327F@Timestamp 0x53 0x8A 0x5B 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 876 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???Cic??????????Volume5\Users\Andrzej\AppData\Local\Temp\1956F1915D.sys??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E-B749DFCB-F817423D-784C5429\01kaEIKR??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E-B749DFCB-F817423D-784C5429\0alLzDQYI8x??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E-B749DFCB-F817423D-784C5429\0LBzIjJbAtr37??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E-B749DFCB-F817423D-784C5429\19554975db.sys.30f9d78??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E-B749DFCB-F817423D-784C5429\1aXnYmofO??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E-B749DFCB-F817423D-784C5429\1CUWUKOcO3je??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E-B749DFCB-F817423D-784C5429\1E8S5AoHpIv??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E-B749DFCB-F817423D-784C5429\27gncBR0D??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E-B749DFCB-F817423D-784C5429\2gdS9aHBruEF??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E-B749DFCB-F817423D-784C5429\2IYu5cFk72Fx3tT??\??\C:\Users\Andrzej\AppData\Local\Temp\2B4EED4E Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 152931703 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 994997578 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 16 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 472258093 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 3503 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 3480 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID e6f1073e-e0e1-42c4-bc8c-5f87d4e Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 5 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DefenderApiLogger@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DefenderAuditLogger@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\342387f030a0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{2ccfe95a-f655-46dc-989a-6886156c6184}@LastProbeTime 1461906741 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{50AC7E54-9678-4FB4-B1C4-A405D22482DF}@InterfaceName Reusable ISATAP Interface {50AC7E54-9678-4FB4-B1C4-A405D22482DF} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{50AC7E54-9678-4FB4-B1C4-A405D22482DF}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?pt.?, ?kwi ?29 ?16, 05:13:25 AM??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1114 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 77 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 14 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 811 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@LeaseObtainedTime 1461945911 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@T1 1461989111 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@T2 1462021511 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@LeaseTerminatesTime 1462032311 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x45 0x4E 0x51 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x45 0xB6 0x15 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x45 0xE6 0x8C 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x00 0x68 0x47 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Group Early-Launch Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@ImagePath system32\drivers\WdBoot.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter@ImagePath system32\drivers\WdFilter.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@CloudSettingsDirtyMarks 41 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----