GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-05 12:30:14 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 TOSHIBA_MQ01ABD075 rev.AX0A4M 698,64GB Running: q93d3znp.exe; Driver: C:\Users\MAG\AppData\Local\Temp\pxldypoc.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [760:5192] ffffd05c99ed6c20 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] CDPUserSvc_3ce42 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_3ce42 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_3ce42 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_3ce42 <-- ROOTKIT !!! Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_3ce42 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_3ce42 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] WpnUserService_3ce42 <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x83 0xEF 0xC6 0xED ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x6D 0xFB 0x1D 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x83 0xEF 0xC6 0xED ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x6D 0xFB 0x1D 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 77 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN17280_32_07DB_E3^C417E02202149645D0C799603B33721C@Timestamp 0x63 0xBF 0xF4 0xF3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 908 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\c:\programdata\winsapsvc\SETUP.dll??\??\c:\programdata\winsapsvc\winsap_update\ClearLog.dll??\??\c:\programdata\winsapsvc\winsap_update\waitlist.dat??\??\C:\Users\MAG\AppData\Local\Temp\lac5495.tmp\Aa.dll??\??\C:\Users\MAG\AppData\Local\Temp\lac5495.tmp\AG64.dll??\??\c:\programdata\winsapsvc\winsap_update\Lancer.dll??\??\c:\programdata\winsapsvc\winsap_update\39.json??\??\c:\programdata\winsapsvc\winsap_update\amule.msi??\??\c:\programdata\winsapsvc\winsap_update\ClearLog.dll??\??\c:\programdata\winsapsvc\winsap_update\DataBase??\??\c:\programdata\winsapsvc\winsap_update\de_svr.exe??\??\c:\programdata\winsapsvc\winsap_update\Lancer.dll??\??\c:\programdata\winsapsvc\winsap_update\QQBrowser.exe??\??\c:\programdata\winsapsvc\winsap_update\QQBrowserFrame.dll??\??\c:\programdata\winsapsvc\winsap_update\regkey.exe??\??\c:\programdata\winsapsvc\winsap_update\uvcSetup.msi??\??\c:\programdata\winsapsvc\winsap_update\WinSAP.dll??\??\c:\programdata\winsapsvc\winsap_update\winsap_cf??\??\c:\programdata\winsapsvc\win Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -2127879400 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID e8b8e26e-4440-4a26-8461-2055e0a Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{76e5638d-f8b4-46de-9b46-217105c181cb} Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a4db30fa5aba Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\a4db30fa5aba@001167fa9dfa 0x2A 0x92 0xC0 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42@DisplayName CDPUserSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{505ac2c5-72c6-47c7-9d26-bd17a41619e1}@LastProbeTime 1480937174 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42@DisplayName Us?uga wiadomo?ci_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42@DisplayName Synchronizuj hosta_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42@DisplayName Dane kontaktowe_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 14 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?pon.?, ?gru ?05 ?16, 11:31:12????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 487 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2660 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 230 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 76 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3de9eca6-d0c1-4fad-8457-42394c5613b8}@LeaseObtainedTime 1480933574 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3de9eca6-d0c1-4fad-8457-42394c5613b8}@T1 1480976774 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3de9eca6-d0c1-4fad-8457-42394c5613b8}@T2 1481009174 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3de9eca6-d0c1-4fad-8457-42394c5613b8}@LeaseTerminatesTime 1481019974 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42@DisplayName Magazyn danych u?ytkownika_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42@DisplayName Dost?p do danych u?ytkownika_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x71 0xD9 0xC9 0xD5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x71 0x41 0x8E 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x71 0x71 0x05 0x74 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 21696 21702 21714 21724 21734 21754 21798 21808 21846 21852 21868 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 21874 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 21875 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 21696 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 21697 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42@DisplayName Us?uga u?ytkownika powiadomie? WNS_3ce42 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_3ce42 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@LastAccessed 0x3F 0x3E 0x81 0x82 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@AccelerateCacheRefreshLastDetected 0x51 0xB2 0xA5 0x51 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@AccelerateCacheRefreshLastHandled 0x1C 0x6A 0x08 0xCC ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@LastAccessed 0xF8 0xC9 0x4C 0x82 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@AccelerateCacheRefreshLastDetected 0x5B 0xA0 0x73 0x51 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@AccelerateCacheRefreshLastHandled 0x22 0xB8 0x16 0xCC ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 559 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce@FlashPlayerUpdate C:\WINDOWS\SysWoW64\Macromed\Flash\FlashUtil32_23_0_0_185_Plugin.exe -update plugin Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Firefox?Microsoft.Windows.Photos_8wekyb3d8bbwe!App?Microsoft.Windows.ControlPanel? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{22F1E6E1-FE07-4B1A-88A1-F7C37D6C75C5}@LastAccessedTime 0xF0 0x61 0xFB 0xE6 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{22F1E6E1-FE07-4B1A-88A1-F7C37D6C75C5}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x73 0x2E 0xC6 0xFB ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----