GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-26 07:45:59 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 INTEL_SSDSC2BW120A4 rev.DC32 111,79GB Running: nopuwpem.exe; Driver: C:\Users\cicha\AppData\Local\Temp\ffldruob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [7420:6528] ffffb752666c6c20 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] CDPUserSvc_14b50f05 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_14b50f05 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_14b50f05 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_14b50f05 <-- ROOTKIT !!! Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_14b50f05 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_14b50f05 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] WpnUserService_14b50f05 <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AOC2369ABPE79A000300_1B_07DE_50^01C607C306860D764373A5089AEF7EF9@Timestamp 0x54 0xE2 0xF1 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1322096690 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 11985 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 10923 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 15932 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 376 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 1047 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 12362 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeLibraryInitTime 84 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 935 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 12473 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 771 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 150 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 13410 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 13422 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 15386 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 13417 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 15927 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 4025 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 69 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 6014 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 1692 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeInitTime 51 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 525 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 12 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 326015 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x45 0xE3 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 31182 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x76 0x43 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 228 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumTime 58 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumIoTime 15 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumTime 53 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 106 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 103 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 1977 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0xBF 0xC0 0x2D 0x0F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05@DisplayName CDPUserSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{8414ABA9-5B2C-4F86-A629-5D1891CE4617}@DefunctTimestamp 0x27 0xC6 0xE7 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05@DisplayName Us?uga wiadomo?ci_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05@DisplayName Synchronizuj hosta_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05@DisplayName Dane kontaktowe_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 935 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 33 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c455e22e-29c2-4305-afee-8a4678422403}@LeaseObtainedTime 1474807337 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c455e22e-29c2-4305-afee-8a4678422403}@T1 1474850537 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c455e22e-29c2-4305-afee-8a4678422403}@T2 1474882937 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c455e22e-29c2-4305-afee-8a4678422403}@LeaseTerminatesTime 1474893737 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05@DisplayName Magazyn danych u?ytkownika_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05@DisplayName Dost?p do danych u?ytkownika_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x92 0x70 0x29 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x92 0xD8 0xED 0x61 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x92 0x08 0x65 0x9E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05@DisplayName Us?uga u?ytkownika powiadomie? WNS_14b50f05 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_14b50f05 Reg HKLM\SYSTEM\Maps@LastMapUpdateCheck 0xBB 0xC8 0x4E 0x11 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications@TimestampWhenSeen 0x09 0x73 0x68 0x31 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel 0x7F 0x11 0xA5 0x8D ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{2A8AD0B6-4DB7-4838-AD91-3694FC8F2F35}@LastAccessedTime 0x40 0x32 0x4C 0xB9 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{2A8AD0B6-4DB7-4838-AD91-3694FC8F2F35}@LaunchCount 2 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC@51 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation\GeForce Experience.lnk?C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe?? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC@52 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation\3D Vision\3D Vision Photo Viewer.lnk?C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvstview.exe?? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\SHC@53 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation\3D Vision\3D Vision preview pack 1.lnk?C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvstlink.exe?/show? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate@LastAutoAppUpdateSearchSuccessTime 2016-09-25 08:52:06 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate@LastScheduledRetryTime 2016-09-25 17:24:07 ---- Files - GMER 2.2 ---- File C:\Users\cicha\AppData\Local\Google\Chrome\User Data\Default\Cache\f_01a90f 0 bytes File C:\Users\cicha\AppData\Local\Google\Chrome\User Data\Default\Cache\f_01a7af 243184 bytes File C:\Users\cicha\AppData\Local\Google\Chrome\User Data\Default\Cache\f_01a7b0 871272 bytes File C:\Users\cicha\AppData\Local\Google\Chrome\User Data\Default\Cache\f_01a9a5 0 bytes File C:\Users\cicha\AppData\Local\Google\Chrome\User Data\Default\Cache\f_01a9a6 68101 bytes ---- EOF - GMER 2.2 ----