GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-26 19:18:02 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKS-00A7B0 rev.01.03B01 465,76GB Running: 61jp6tdf.exe; Driver: C:\Users\Anna\AppData\Local\Temp\kxldrpow.sys ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [604:628] fffff960009b32d0 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1972:2200] 00007ff82021bc60 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1088:3808] 00007ff82037f5f8 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1088:3796] 00007ff82021bc60 Thread C:\Windows\System32\SettingSyncHost.exe [3408:3416] 00007ff823247090 Thread C:\Windows\SysWOW64\msiexec.exe [4048:4056] 000000007eed2f31 Thread C:\Windows\System32\WWAHost.exe [3464:1464] 00007ff8353812c0 Thread C:\Windows\System32\WWAHost.exe [3464:1496] 00007ff830941df0 Thread C:\Windows\System32\WWAHost.exe [3464:3348] 00007ff82daabf10 Thread C:\Windows\System32\WWAHost.exe [3464:1440] 00007ff8318971d0 Thread C:\Windows\System32\WWAHost.exe [3464:3344] 00007ff81de002a0 Thread C:\Windows\System32\WWAHost.exe [3464:3264] 00007ff81ddfeeb0 Thread C:\Windows\System32\WWAHost.exe [3464:3352] 00007ff81de83d40 Thread C:\Windows\System32\WWAHost.exe [3464:3964] 00007ff81ddfeeb0 Thread C:\Windows\System32\WWAHost.exe [3464:3080] 00007ff81ddfeeb0 Thread C:\Windows\System32\WWAHost.exe [3464:1312] 00007ff8350a0b70 Thread C:\Windows\System32\WWAHost.exe [3464:2868] 00007ff8350a0b70 Thread C:\Windows\System32\WWAHost.exe [3464:3360] 00007ff81ddfeeb0 Thread C:\Windows\System32\WWAHost.exe [3464:240] 00007ff81f6ab590 Thread C:\Windows\System32\WWAHost.exe [3464:3736] 00007ff8353812c0 Thread C:\Windows\System32\WWAHost.exe [3464:136] 00007ff8353812c0 Thread C:\Windows\System32\WWAHost.exe [3464:3520] 00007ff81f69f090 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:100] 00007ff8353812c0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:4320] 00007ff830941df0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:4716] 00007ff827159a20 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:3884] 00007ff830938930 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:2780] 00007ff82fa54874 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:4980] 00007ff830941df0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5124] 00007ff830941df0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5136] 00007ff82309fbb0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5220] 00007ff8318971d0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5264] 00007ff8271fecb0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5268] 00007ff8271fecb0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5272] 00007ff8271fecb0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5276] 00007ff8271fecb0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5308] 00007ff8353812c0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5320] 00007ff82cc91120 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5324] 00007ff830941df0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5368] 00007ff830941df0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5372] 00007ff830941df0 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5388] 00007ff82373ab50 Thread C:\Windows\ImmersiveControlPanel\SystemSettings.exe [4112:5536] 00007ff81bc535f0 ---- Processes - GMER 2.1 ---- Process C:\Users\Anna\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe (*** suspicious ***) @ C:\Users\Anna\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [1700] (Microsoft® Volume Shadow Copy Service/Microsoft Corporation)(2015-06-23 13:30:43) 0000000000400000 ---- Services - GMER 2.1 ---- Service System32\Drivers\ElbyCDIO.sys (*** hidden *** ) [SYSTEM] ElbyCDIO <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 843764762 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@ImagePath System32\Drivers\ElbyCDIO.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@DisplayName ElbyCDIO Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ElbyCDIO Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?cze ?26 ?15, 06:12:00??????i???????i???????????????i???? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0x32 0xA2 0x8E 0x0F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 6534 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 36 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x9F 0x3D 0x47 0x67 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x9F 0x3D 0x47 0x67 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 111 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x9F 0x3D 0x47 0x67 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 12544 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 211 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x9F 0x3D 0x47 0x67 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63570931143227%3bID%3d51951271748F3642!102%3bLR%3d63570931142483%3bEP%3d4%3bTD%3dTrue%3bSO%3d0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x6B 0x86 0x1E 0x07 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x75 0x39 0x1C 0x1A ... ---- EOF - GMER 2.1 ----