GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-21 21:08:23 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 ST1000LM014-1EJ164-SSHD rev.HKR1 931,51GB Running: jh9z4xbc.exe; Driver: G:\TEMP\kfndyaow.sys ---- Devices - GMER 2.2 ---- Device \Driver\semav6msr64 \Device\semav6msr64 fffff8044f925010 ---- Threads - GMER 2.2 ---- Thread System [4:4940] ffffa0835471acd8 Thread System [4:4944] ffffa0835475ba1c Thread System [4:4948] ffffa08354764c84 Thread System [4:4952] ffffa08354763580 Thread System [4:4960] ffffa0835475d1a4 Thread C:\WINDOWS\system32\csrss.exe [696:972] fffff0827ada6c20 Thread C:\WINDOWS\system32\svchost.exe [1504:4068] 00007ffe4ded25e0 Thread C:\WINDOWS\system32\svchost.exe [1504:720] 00007ffe4bb23bc0 Thread C:\WINDOWS\Explorer.EXE [5512:6972] 000000000ac9449c Thread C:\WINDOWS\Explorer.EXE [5512:6184] 000000000e164840 Thread C:\WINDOWS\Explorer.EXE [5512:7160] 000000000e22dbb4 Thread C:\WINDOWS\Explorer.EXE [5512:7152] 000000000e22dbb4 Thread C:\WINDOWS\Explorer.EXE [5512:7124] 000000000e22dbb4 Thread C:\WINDOWS\Explorer.EXE [5512:7120] 000000000e22dbb4 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] CDPUserSvc_6091f <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_6091f <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_6091f <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_6091f <-- ROOTKIT !!! Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_6091f <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_6091f <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] WpnUserService_6091f <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x91 0x0D 0x19 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x34 0x4A 0xDA 0x4A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x91 0x0D 0x19 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x34 0x4A 0xDA 0x4A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 483 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD04930_00_07DE_5B^F85900BA67DE992FCD9E602C7E951284@Timestamp 0x37 0x7B 0xD3 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 776 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\G:\TEMP\~nsu.tmp\Au_.exe??\??\G:\TEMP\~nsu.tmp??\??\G:\TEMP\nsn8A4A.tmp\??\??\G:\TEMP\nsn8A4A.tmp\Lang\ENU.dll??\??\G:\TEMP\nsn8A4A.tmp\Lang\PLK.dll?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -179670376 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 60e88477-9106-48a6-bb20-0b1c235 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettings@LastLSMInstanceID 60e88477-9106-48a6-bb20-0b1c235 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{7b3929e0-bca8-4298-879a-fd6c3bd7f1b4} Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger@FileName C:\ProgramData\Intel\SUR\WILLAMETTE\IntelData\temp\2017_06_21__19_49_22_boot.etl Reg HKLM\SYSTEM\CurrentControlSet\Services\ASP.NET_4.0.30319\Names@A0W6EnpfAtSQtDUSIlpAvc9OcFpHQ6COsC00xwn3w6GBXgRFyYn510NjOsAFOiB4wgUQjGTA1UuNFWoGmNQxR37IXVXGrBHYdcMPP98iHCrAnPWeUVRZh8 2968 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS81d69eb2-6ead-4036-9617-5fa2e5040fe2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\606dc7f61ee0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\606dc7f61ee0@bccfccefc63b 0x23 0x77 0x95 0xE1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f@DisplayName CDPUserSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{3e08c04e-2ddd-48d0-977b-d45b98db4bc2}@LastProbeTime 1498054252 Reg HKLM\SYSTEM\CurrentControlSet\Services\ialm\Device0@ProfilingToolValues 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{F3BCC300-44C8-45CF-B7BA-4EA6A42DCF79}@DefunctTimestamp 0xD9 0x3B 0x4A 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f@DisplayName Us?uga wiadomo?ci_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f@DisplayName Synchronizuj hosta_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f@DisplayName Dane kontaktowe_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ??r.?, ?cze ?21 ?17, 02:12:10 PM??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 263 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 16953 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 4063 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 482 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ac763e17-6ec6-46c3-aefc-62cd5154b8ba}@LeaseObtainedTime 1498065077 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ac763e17-6ec6-46c3-aefc-62cd5154b8ba}@T1 1498068677 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ac763e17-6ec6-46c3-aefc-62cd5154b8ba}@T2 1498071377 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ac763e17-6ec6-46c3-aefc-62cd5154b8ba}@LeaseTerminatesTime 1498072277 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{ac763e17-6ec6-46c3-aefc-62cd5154b8ba}@Dhcpv6State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{ac763e17-6ec6-46c3-aefc-62cd5154b8ba}@Dhcpv6MaxLeaseExpireTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{ac763e17-6ec6-46c3-aefc-62cd5154b8ba}@Dhcpv6ServerPreference 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{ac763e17-6ec6-46c3-aefc-62cd5154b8ba}@Dhcpv6IsUnicastEnabled 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{ac763e17-6ec6-46c3-aefc-62cd5154b8ba}@Dhcpv6LeaseObtainedTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f@DisplayName Magazyn danych u?ytkownika_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f@DisplayName Dost?p do danych u?ytkownika_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA6 0x41 0x75 0xFD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA6 0xA9 0x39 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA6 0xD9 0xB0 0x9B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f@DisplayName Us?uga u?ytkownika powiadomie? WNS_6091f Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_6091f Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 46 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome 0x2F 0xD7 0x8A 0x33 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{767F50F1-90BD-46D6-9C56-B24CE6864FBE}@LastAccessedTime 0x20 0xDF 0x17 0x96 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{767F50F1-90BD-46D6-9C56-B24CE6864FBE}@LaunchCount 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8658B4AE-D1B1-412C-8037-1687C4641237}@LastAccessedTime 0x90 0x54 0xA1 0x4B ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{8658B4AE-D1B1-412C-8037-1687C4641237}@LaunchCount 66 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x5C 0xE8 0x41 0x9C ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate@LastScheduledRetryTime 2017-06-21 12:13:47 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----