- Jun 21, 2017
- 26
- 0
- 540
So today I wake up and I see weirdly named accounts (2 of them) which I never had or never seen before. I go to check Process explorer, I see nothing odd there. I let view tests by MBAM, Eset, and Super anti-spyware professional. I already had Voodoo shield on so nothing turns on without my permission. What did I do in the last view days, just browsing the internet, updated my Bios yesterday (downloaded it from the official website) and nothing further actually. I just ran GMER tool and it told me that there was some rootkit activity on my PC and here is the report:
I deleted the users manually and then downloaded Norton Power Eraser. He found few things and said that he removed them and asked for a reboot. He did but when I came to the log in screen, I saw another new user. My Laptop is getting slower and a lot of things are functioning slowly. ( i could notice because it is a gaming laptop and the performance has changed a lot).
I've also used: Trend Micro's Housecall Online Virus Scan and Dr. Web's CureIt but still no results.
What can I do?
Thanks
GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2017-07-17 21:57:26
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000041 Samsung_SSD_850_EVO_M.2_250GB rev.EMT21B6Q 232.89GB
Running: 1cvmtq46.exe; Driver: C:\temps\kxrdrpob.sys
---- Threads - GMER 2.2 ----
Thread C:\Windows\system32\csrss.exe [688:944] ffffe3278c736c20
Thread C:\Windows\System32\RuntimeBroker.exe [5568:11776] 00007ffd546720e0
Thread C:\Windows\Explorer.EXE [5788:2504] 00007ffd549c20e0
---- Services - GMER 2.2 ----
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] CDPUserSvc_79ede <-- ROOTKIT !!!
Service C:\Windows\system32\drivers\MBAMSwissArmy.sys (*** hidden *** ) [MANUAL] MBAMSwissArmy <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_79ede <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_79ede <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_79ede <-- ROOTKIT !!!
Service C:\Windows\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_79ede <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_79ede <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [MANUAL] WpnUserService_79ede <-- ROOTKIT !!!
---- Registry - GMER 2.2 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x38 0x4E 0x7C 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x29 0x61 0xC5 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x74 0x59 0x7C 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x29 0x61 0xC5 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@nl-NL 49
Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN17350_27_07DE_9C^69A10325D5D66B5910501376E526DD16@Timestamp 0x29 0x3F 0x19 0xAF ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 780
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CFD52EF8-2FBB-41EA-B9B3-E0035C0DC0E4}\Connection@Name isatap.lan
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -257499127
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID c34e6391-cd59-4259-9c9b-9ec0618
Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{89858212-2229-45ca-a93f-dd57f965209c}
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\dc5360c6b9d8
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@DisplayName CDPUserSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@Description @%SystemRoot%\system32\cdpusersvc.dll,-101
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{4a21d3d9-4c23-421e-a22f-8157a7d43018}@LastProbeTime 1500315936
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{CFD52EF8-2FBB-41EA-B9B3-E0035C0DC0E4}@ReusableType 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{CFD52EF8-2FBB-41EA-B9B3-E0035C0DC0E4}@DefunctTimestamp 0x2C 0x17 0x6D 0x59 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-ea-1d-a8-20-c0@AddressCreationTimestamp 0x30 0xA8 0x7D 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Tag 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ImagePath \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@DisplayName MBAMSwissArmy
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Group FSFilter Activity Monitor
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances@DefaultInstance MBAMSwissArmy Instance
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@DisplayName MessagingService_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@Description @%SystemRoot%\system32\MessagingService.dll,-101
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0@Type 7
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0@Action 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0@DataType0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@DisplayName Host synchroniseren_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@Description @%SystemRoot%\system32\APHostRes.dll,-10001
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede\Security@Security 0x01 0x00 0x04 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@DisplayName Contact Data_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede\Security@Security 0x01 0x00 0x04 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4304
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 969
Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 49
Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 351
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a5115cb-c646-48e7-a021-cccd8dce040e}@LeaseObtainedTime 1500321582
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a5115cb-c646-48e7-a021-cccd8dce040e}@T1 1500364782
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a5115cb-c646-48e7-a021-cccd8dce040e}@T2 1500397182
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a5115cb-c646-48e7-a021-cccd8dce040e}@LeaseTerminatesTime 1500407982
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@ImagePath C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@DisplayName User Data Storage_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede\Security@Security 0x01 0x00 0x04 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@DisplayName User Data Access_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede\Security@Security 0x01 0x00 0x04 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x67 0xEF 0x3B 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x67 0x57 0x00 0x21 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x67 0x87 0x77 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@DisplayName Windows Push Notification-gebruikersservice_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@Description @%SystemRoot%\system32\WpnUserService.dll,-2
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede\Security@Security 0x01 0x00 0x04 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede
Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EBEDB5BA-B2AF-4404-85A1-524A157D4A5F}
Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EBEDB5BA-B2AF-4404-85A1-524A157D4A5F}@LastAccessedTime 0xD0 0x19 0x79 0x6A ...
Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EBEDB5BA-B2AF-4404-85A1-524A157D4A5F}@AppId {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\e2eSoft\MyCam\MyCam.exe
Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EBEDB5BA-B2AF-4404-85A1-524A157D4A5F}@LaunchCount 2
---- Disk sectors - GMER 2.2 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- EOF - GMER 2.2 ----
-------------------------------------------------------------
Rootkit scan 2017-07-17 21:57:26
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000041 Samsung_SSD_850_EVO_M.2_250GB rev.EMT21B6Q 232.89GB
Running: 1cvmtq46.exe; Driver: C:\temps\kxrdrpob.sys
---- Threads - GMER 2.2 ----
Thread C:\Windows\system32\csrss.exe [688:944] ffffe3278c736c20
Thread C:\Windows\System32\RuntimeBroker.exe [5568:11776] 00007ffd546720e0
Thread C:\Windows\Explorer.EXE [5788:2504] 00007ffd549c20e0
---- Services - GMER 2.2 ----
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] CDPUserSvc_79ede <-- ROOTKIT !!!
Service C:\Windows\system32\drivers\MBAMSwissArmy.sys (*** hidden *** ) [MANUAL] MBAMSwissArmy <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_79ede <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_79ede <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_79ede <-- ROOTKIT !!!
Service C:\Windows\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_79ede <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_79ede <-- ROOTKIT !!!
Service C:\Windows\system32\svchost.exe (*** hidden *** ) [MANUAL] WpnUserService_79ede <-- ROOTKIT !!!
---- Registry - GMER 2.2 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x38 0x4E 0x7C 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x29 0x61 0xC5 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x74 0x59 0x7C 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x29 0x61 0xC5 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@nl-NL 49
Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN17350_27_07DE_9C^69A10325D5D66B5910501376E526DD16@Timestamp 0x29 0x3F 0x19 0xAF ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 780
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CFD52EF8-2FBB-41EA-B9B3-E0035C0DC0E4}\Connection@Name isatap.lan
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -257499127
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID c34e6391-cd59-4259-9c9b-9ec0618
Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{89858212-2229-45ca-a93f-dd57f965209c}
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\dc5360c6b9d8
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@DisplayName CDPUserSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede@Description @%SystemRoot%\system32\cdpusersvc.dll,-101
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{4a21d3d9-4c23-421e-a22f-8157a7d43018}@LastProbeTime 1500315936
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{CFD52EF8-2FBB-41EA-B9B3-E0035C0DC0E4}@ReusableType 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{CFD52EF8-2FBB-41EA-B9B3-E0035C0DC0E4}@DefunctTimestamp 0x2C 0x17 0x6D 0x59 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-ea-1d-a8-20-c0@AddressCreationTimestamp 0x30 0xA8 0x7D 0x0F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Type 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Tag 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ImagePath \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@DisplayName MBAMSwissArmy
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Group FSFilter Activity Monitor
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances@DefaultInstance MBAMSwissArmy Instance
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance@Flags 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@DisplayName MessagingService_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede@Description @%SystemRoot%\system32\MessagingService.dll,-101
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0@Type 7
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0@Action 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede\TriggerInfo\0@DataType0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@DisplayName Host synchroniseren_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede@Description @%SystemRoot%\system32\APHostRes.dll,-10001
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede\Security@Security 0x01 0x00 0x04 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@DisplayName Contact Data_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede\Security@Security 0x01 0x00 0x04 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4304
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 969
Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 49
Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 351
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a5115cb-c646-48e7-a021-cccd8dce040e}@LeaseObtainedTime 1500321582
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a5115cb-c646-48e7-a021-cccd8dce040e}@T1 1500364782
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a5115cb-c646-48e7-a021-cccd8dce040e}@T2 1500397182
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a5115cb-c646-48e7-a021-cccd8dce040e}@LeaseTerminatesTime 1500407982
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@ImagePath C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@DisplayName User Data Storage_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede\Security@Security 0x01 0x00 0x04 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@DisplayName User Data Access_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede\Security@Security 0x01 0x00 0x04 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x67 0xEF 0x3B 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x67 0x57 0x00 0x21 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x67 0x87 0x77 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@Type 224
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@DisplayName Windows Push Notification-gebruikersservice_79ede
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede@Description @%SystemRoot%\system32\WpnUserService.dll,-2
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede\Security@Security 0x01 0x00 0x04 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_79ede
Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EBEDB5BA-B2AF-4404-85A1-524A157D4A5F}
Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EBEDB5BA-B2AF-4404-85A1-524A157D4A5F}@LastAccessedTime 0xD0 0x19 0x79 0x6A ...
Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EBEDB5BA-B2AF-4404-85A1-524A157D4A5F}@AppId {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\e2eSoft\MyCam\MyCam.exe
Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{EBEDB5BA-B2AF-4404-85A1-524A157D4A5F}@LaunchCount 2
---- Disk sectors - GMER 2.2 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- EOF - GMER 2.2 ----
-------------------------------------------------------------
I deleted the users manually and then downloaded Norton Power Eraser. He found few things and said that he removed them and asked for a reboot. He did but when I came to the log in screen, I saw another new user. My Laptop is getting slower and a lot of things are functioning slowly. ( i could notice because it is a gaming laptop and the performance has changed a lot).
I've also used: Trend Micro's Housecall Online Virus Scan and Dr. Web's CureIt but still no results.
What can I do?
Thanks
Facebook
Twitter
Instagram