GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-30 08:45:14 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001d WDC_WD10JPCX-24UE4T0 rev.01.01A01 931,51GB Running: e8fxcml9.exe; Driver: C:\Users\Andrzej\AppData\Local\Temp\pfkdqpob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [4200:564] fffff960451e4060 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_824dd0 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_824dd0 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_824dd0 <-- ROOTKIT !!! Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_824dd0 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_824dd0 <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD033A0_00_07DB_82^0C347888ABDF2AA846DFF8D24673327F@Timestamp 0x2B 0xF6 0xAD 0xC4 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1071794163 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 3465 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 3443 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 12483 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 225 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 918 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 3702 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 467 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 4115 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 302 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 189 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 4620 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 4656 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 12115 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 4643 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 12477 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 7207 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 12902 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 6809 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 334 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 58 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 430899 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x8D 0xA1 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 33281 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x84 0x2D 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 82 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumTime 154 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumIoTime 29 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumTime 99 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumIoTime 56 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 1037 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x60 0xA0 0xE1 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 7484 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\342387f030a0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{50AC7E54-9678-4FB4-B1C4-A405D22482DF}@DefunctTimestamp 0xE0 0x0A 0x24 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0@DisplayName Us?uga wiadomo?ci_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_824dd0@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_824dd0@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_824dd0@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_824dd0@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_824dd0@DisplayName Synchronizuj hosta_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_824dd0@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_824dd0\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_824dd0\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_824dd0@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_824dd0@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_824dd0@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_824dd0@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_824dd0@DisplayName Dane kontaktowe_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_824dd0@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_824dd0\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_824dd0\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1172 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 99 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 815 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@LeaseObtainedTime 1461979879 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@T1 1462023079 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@T2 1462055479 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{01f0980e-855d-4a12-a7dd-ef6260f7488c}@LeaseTerminatesTime 1462066279 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_824dd0@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_824dd0@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_824dd0@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_824dd0@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_824dd0@DisplayName Magazyn danych u?ytkownika_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_824dd0@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_824dd0\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_824dd0\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_824dd0@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_824dd0@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_824dd0@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_824dd0@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_824dd0@DisplayName Dost?p do danych u?ytkownika_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_824dd0@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_824dd0\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_824dd0\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_824dd0 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x5A 0x9A 0x02 0x9D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x5A 0x02 0xC7 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x5A 0x32 0x3E 0x3B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xCD 0x51 0x1A 0x01 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@CloudSettingsDirtyMarks 49 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x4A 0x7F 0xEF 0xB1 ... Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0x64 0x01 0x01 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----