GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-21 18:34:54 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 WDC_WD10JPCX-24UE4T0 rev.01.01A01 931,51GB Running: rmq2tm48.exe; Driver: C:\Users\Remik\AppData\Local\Temp\kflcqpod.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [724:5260] ffffcddfeb9a6c20 ---- Services - GMER 2.2 ---- Service System32\Drivers\ElbyCDIO.sys (*** hidden *** ) [SYSTEM] ElbyCDIO <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1405137436 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\ac2b6e765d8a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\ac2b6e765d8a@0ca694a2f025 0xF3 0x99 0x74 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\b0-48-7a-cf-a5-02@ClientLocalPort 49570 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\b0-48-7a-cf-a5-02@AddressCreationTimestamp 0x34 0x67 0x43 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\b0-48-7a-cf-a5-02@NatDetectionTimestamp 0x34 0x67 0x43 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\b0-48-7a-cf-a5-02@TeredoAddress 2001:0:9d38:6abd:241f:c22a:ace7:b3ad Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1323 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xE8 0x31 0x96 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xE8 0x99 0x5A 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xE8 0xC9 0xD1 0x4A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend@FailureCommand C:\WINDOWS\system32\mrt.exe /EHB /ServiceFailure "CAMP=4.10.14393.0;approximate-> Engine=1.1.13303.0;AVSIG=1.233.126.0;ASSIG=1.233.126.0" /StartService /Defender /q Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xAD 0x03 0xCB 0x6E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsLargeBandwidthBucketCounter 717449 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsLargeRequestBucketCounter 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xAD 0x03 0xCB 0x6E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xAD 0x03 0xCB 0x6E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 2079 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xAD 0x03 0xCB 0x6E ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63615340400770%3bID%3d269C345802721FDC!104%3bLR%3d63615340845143%3bEP%3d13%3bSI%3d45%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0xBB 0x42 0xEF 0x61 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 1865 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\microsoft.windowsphone_8wekyb3d8bbwe-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\microsoft.windowssoundrecorder_8wekyb3d8bbwe-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\microsoft.windowsstore_8wekyb3d8bbwe-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\microsoft.xboxapp_8wekyb3d8bbwe-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\microsoft.xboxgamecallableui_cw5n1h2txyewy-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\microsoft.xboxidentityprovider_8wekyb3d8bbwe-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\microsoft.zunemusic_8wekyb3d8bbwe-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\microsoft.zunevideo_8wekyb3d8bbwe-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\windows.contactsupport_cw5n1h2txyewy-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\windows.immersivecontrolpanel_cw5n1h2txyewy-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\windows.miracastview_cw5n1h2txyewy-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\windows.printdialog_cw5n1h2txyewy-0@PendingOperations 8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\accessibility@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\backstack@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\emojimfu@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\explorer@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\imejpn@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\imekor@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\inputpersonalization@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\inputsettings@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\language@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\moimechs@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\mouse@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\narrator@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\notificationsettings@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\openwith@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\osk@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\picturepasswordpicture@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\quickactions@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\screenmagnifier@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\slideshow@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\spellingdictionary@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\startpersonalization@PendingOperations 13 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\taskbar@PendingOperations 13 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----