GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-09 10:46:26 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e KINGSTON_SUV400S37240G rev.0C3FD6SD 223,57GB Running: 39km3eim.exe; Driver: C:\Users\kalaf\AppData\Local\Temp\fwndyaob.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\system32\apphelp.dll [1788] entry point in ".rdata" section 00000000725df7c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [524:588] ffffef2d24206c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions NOEXECUTE=OPTIN Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootSucceeded 0 Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 868 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 1209816 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1405221199 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 23 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 496411985 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 3008 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 2730 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 369eadcb-f6e9-457e-9bda-c64b10a Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\UnitedVideo\SERVICES\BASICDISPLAY@DefaultSettings.XResolution 1366 Reg HKLM\SYSTEM\CurrentControlSet\Services\Bprotect@RunningTime 0xA7 0x54 0x4D 0x30 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c0143dd3d41a Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8@DisplayName CDPUserSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8@DisplayName Us?uga wiadomo?ci_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8@DisplayName Synchronizuj hosta_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8@DisplayName Dane kontaktowe_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 624 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8@ImagePath C:\Windows\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8@DisplayName Magazyn danych u?ytkownika_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8@DisplayName Dost?p do danych u?ytkownika_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 13416 13422 13434 13444 13454 13474 13518 13528 13566 13572 13588 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 13594 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 13595 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 13416 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 13417 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8@DisplayName Us?uga u?ytkownika powiadomie? WNS_44ac8 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_44ac8 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0368B73D-2B2F-4CE3-B439-D7753E5E491F}@LastAccessedTime 0x30 0x72 0x5F 0x19 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0368B73D-2B2F-4CE3-B439-D7753E5E491F}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{B9ABDBCA-D230-4BD0-8081-571F4F20C6E6} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{B9ABDBCA-D230-4BD0-8081-571F4F20C6E6}@LastAccessedTime 0x80 0x9F 0x91 0xEF ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{B9ABDBCA-D230-4BD0-8081-571F4F20C6E6}@AppId {6D809377-6AF0-444B-8957-A3773F02200E}\Internet Explorer\iexplore.exe Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{B9ABDBCA-D230-4BD0-8081-571F4F20C6E6}@LaunchCount 2 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x2B 0x3D 0xF0 0xB4 ... ---- EOF - GMER 2.2 ----