GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-15 16:46:14 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000022 Hitachi_HTS547575A9E384 rev.JE4OA50A 698,64GB Running: tf5oe09c.exe; Driver: C:\Users\Ewelina\AppData\Local\Temp\pxddapob.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [792:5404] fffff960cf124060 Thread C:\WINDOWS\Explorer.EXE [1764:8656] 00007ff82d460250 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden *** ) [AUTO] WinDefend <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x41 0x5A 0x80 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x02 0x40 0x20 0x1E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x55 0xA2 0x22 0x1E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 82 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO21EC0_00_07DB_0D^92CF8EB40034AABDEFA79AB30EDCB501@Timestamp 0x99 0xEE 0x77 0xE9 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 936 Reg HKLM\SYSTEM\CurrentControlSet\Control\PnP@DisableLKG 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\WINDOWS\System32\drivers\SET962C.tmp??\??\C:\WINDOWS\System32\drivers\SET9A34.tmp??\??\C:\WINDOWS\System32\drivers\SET9AA2.tmp??\??\C:\WINDOWS\System32\drivers\SETA13B.tmp?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 4522602 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -593892618 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 83 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 471082429 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 4922 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 4506 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID b3449f86-3f04-4bbf-ab92-5c3ed0b Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events CreateSession Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AITEventLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DefenderApiLogger@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DefenderAuditLogger@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\EventLog-Application\{3da494e4-0fe2-415c-b895-fb5265c5c83b}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\EventLog-System\{cdead503-17f5-4a3e-b7ae-df8cc2902eb9}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\AVGIDSHA\Parameters@Reboot 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\50b7c3b1e0b5 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\DeviceInstall\Parameters@DeviceInstallDisabled 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{6cd1dfea-51f5-44f9-9d72-b141e7506ecc}@LastProbeTime 1460702887 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?pt.?, ?kwi ?15 ?16, 06:49:39?????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3122 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 777 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 81 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 564 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{da53de54-1bac-4f72-b97d-ae9fed38b4d1}@LeaseObtainedTime 1460695692 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{da53de54-1bac-4f72-b97d-ae9fed38b4d1}@T1 1460738892 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{da53de54-1bac-4f72-b97d-ae9fed38b4d1}@T2 1460771292 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{da53de54-1bac-4f72-b97d-ae9fed38b4d1}@LeaseTerminatesTime 1460782092 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xE3 0xE2 0x84 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xE3 0x4A 0x49 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xE3 0x7A 0xC0 0x6E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xC9 0x07 0x68 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Group Early-Launch Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@ImagePath system32\drivers\WdBoot.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WdBoot Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter@ImagePath system32\drivers\WdFilter.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WdFilter Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinDefend Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0xD0 0x1C 0xEF 0xFA ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds {1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe?{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe? ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code