GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-11 15:41:28 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000025 HGST_HTS541010A9E680 rev.JA0OA710 931,51GB Running: zhupshr7.exe; Driver: C:\Users\Organeo\AppData\Local\Temp\pxldrpob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [4420] entry point in ".rdata" section 0000000070e4f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [1156:1204] ffff90a4619a6c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xA3 0x57 0xAC 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x69 0x81 0x70 0x1D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xA3 0x57 0xAC 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x23 0xE6 0x72 0x1D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 18 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO159E0_00_07DC_E6^D8A03C3FE36BD7F5A8BA9909FF48DF75@Timestamp 0x07 0xD0 0x29 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 1300 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1989555463 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID fe0397ab-0d93-4313-a98d-527c32c Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{e4cc5882-ae0f-468d-9369-d269c1ce3c18} Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\90489ae157e8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc@DisplayName CDPUserSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc@DisplayName Us?uga wiadomo?ci_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc@DisplayName Synchronizuj hosta_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc@DisplayName Dane kontaktowe_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 13 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?pt.?, ?lis ?11 ?16, 01:38:50 PM??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 162 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1733 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 129 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 17 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc@DisplayName Magazyn danych u?ytkownika_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc@DisplayName Dost?p do danych u?ytkownika_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 14618 14624 14636 14646 14656 14676 14720 14730 14768 14774 14790 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 14796 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 14797 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 14618 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 14619 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc@DisplayName Us?uga u?ytkownika powiadomie? WNS_310bc Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_310bc Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----