GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-11 11:31:48 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 INTEL_SSDPEKKW256G7 rev.PSF109C 238,47GB Running: orxluc2e.exe; Driver: C:\Users\WisePL\AppData\Local\Temp\kwadauow.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\system32\apphelp.dll [696] entry point in ".rdata" section 0000000073e1f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [696] entry point in ".rdata" section 0000000073d51590 ? C:\Windows\System32\ieproxy.dll [696] entry point in ".rdata" section 00000000713b9600 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [696] entry point in ".rdata" section 000000006ee7da90 ? C:\Windows\SYSTEM32\NTASN1.dll [696] entry point in ".rdata" section 000000006ed9a020 ? C:\Windows\system32\ncryptsslp.dll [696] entry point in ".rdata" section 000000006ed704f0 ? C:\Windows\SYSTEM32\srpapi.dll [696] entry point in ".rdata" section 000000006d546100 ? C:\Windows\System32\ActXPrxy.dll [696] entry point in ".rdata" section 000000006b629c50 ? C:\Windows\System32\resampledmo.dll [696] entry point in ".rdata" section 00000000699ab7a0 ? C:\Windows\SYSTEM32\atlthunk.dll [696] entry point in ".data" section 00000000681d4290 ? C:\Windows\SYSTEM32\iertutil.dll [1644] entry point in ".rdata" section 0000000073d51590 ? C:\Windows\SYSTEM32\dbgcore.DLL [1644] entry point in ".rdata" section 000000006db7c940 ? C:\Windows\SYSTEM32\NTASN1.dll [1644] entry point in ".rdata" section 000000006ed9a020 ? C:\Windows\System32\OneCoreUAPCommonProxyStub.dll [1644] entry point in ".rdata" section 0000000069a67ec0 ? C:\Windows\system32\apphelp.dll [4996] entry point in ".rdata" section 0000000073e1f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [4996] entry point in ".rdata" section 0000000073d51590 ? C:\Windows\System32\ieproxy.dll [4996] entry point in ".rdata" section 00000000713b9600 ? C:\Windows\SYSTEM32\srpapi.dll [4996] entry point in ".rdata" section 000000006d546100 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [4996] entry point in ".rdata" section 000000006ee7da90 ? C:\Windows\SYSTEM32\atlthunk.dll [4996] entry point in ".data" section 00000000681d4290 ? C:\Windows\System32\ActXPrxy.dll [4996] entry point in ".rdata" section 000000006b629c50 ? C:\Windows\system32\apphelp.dll [5048] entry point in ".rdata" section 0000000073e1f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [5048] entry point in ".rdata" section 0000000073d51590 ? C:\Windows\System32\ieproxy.dll [5048] entry point in ".rdata" section 00000000713b9600 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [5048] entry point in ".rdata" section 000000006ee7da90 ? C:\Windows\SYSTEM32\srpapi.dll [5048] entry point in ".rdata" section 000000006d546100 ? C:\Windows\SYSTEM32\NTASN1.dll [5048] entry point in ".rdata" section 000000006ed9a020 ? C:\Windows\system32\ncryptsslp.dll [5048] entry point in ".rdata" section 000000006ed704f0 ? C:\Windows\system32\apphelp.dll [4388] entry point in ".rdata" section 0000000073e1f7c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [596:740] ffffdf48099a6c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x6F 0x91 0x22 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xC8 0x14 0x13 0x82 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-US 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\IVM66190_00_07DE_2D^F3599F9A9ED53B074D761C8445E9D10A@Timestamp 0xA8 0x3A 0x39 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 724 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -624202572 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 7955c144-6faa-4e87-aa61-38d2414 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{cd4be057-0b68-4615-b32b-b238c66cc7a5} Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315@DisplayName CDPUserSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{c2eaf7c5-efb1-4dad-9176-7a80b82b9367}@LastProbeTime 1489207717 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\0c-c4-7a-1d-90-25@AddressCreationTimestamp 0x0F 0x05 0xD4 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\0c-c4-7a-1d-90-25@NatDetectionTimestamp 0x0F 0x05 0xD4 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315@DisplayName MessagingService_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315@DisplayName Sync Host_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315@DisplayName Contact Data_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 112 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 19 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c3cda068-51e1-4d49-9e5e-7d6e948af851}@LeaseObtainedTime 1489225718 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c3cda068-51e1-4d49-9e5e-7d6e948af851}@T1 1489227518 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c3cda068-51e1-4d49-9e5e-7d6e948af851}@T2 1489228868 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c3cda068-51e1-4d49-9e5e-7d6e948af851}@LeaseTerminatesTime 1489229318 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315@ImagePath C:\Windows\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315@DisplayName User Data Storage_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315@DisplayName User Data Access_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x1A 0x25 0x9F 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x1A 0x8D 0x63 0x70 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x1A 0xBD 0xDA 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 9444 9450 9460 9470 9490 9534 9544 9582 9588 9604 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 9610 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 9611 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 9444 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 9445 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315@DisplayName Windows Push Notifications User Service_426315 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_426315 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----