creo que tengo una persona que me ha entrado en el PC No se como hecharlo y cerrarle las puertas, dejo un GMER por si sirve de ayuda.
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-05-29 21:24:33
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002a WDC_WD6400AAKS-22A7B2 rev.01.03B01 596,17GB
Running: gmer.exe; Driver: C:\Users\Ismael\AppData\Local\Temp\kwldapow.sys
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- Files - GMER 2.1 ----
File C:\Users\Ismael\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt 0 bytes
---- Processes - GMER 2.1 ----
Library C:\Users\Ismael\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\dbghelp.dll (*** suspicious ***) @ C:\Users\Ismael\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Install.exe [3236] (Windows Image Helper/Microsoft Corporation)(2015-05-29 18:53:39) 0000000003000000
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\SDScannerService@ServiceWebPortFileScannerActive 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SDScannerService@ServiceWebPortFirewallActive 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SDUpdateService@ServiceWebPortActive 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x06 0x1B 0xE8 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\ACR0064LEF080014210_27_07D8_14^6742D576E8B376F69DE478D074E6BE99@Timestamp 0x39 0x11 0xC6 0x7A ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0x4C 0x96 0xE8 0x6E ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x4E 0x78 0x78 0x78 ...
Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ...
Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified 0x80 0x65 0xA0 0x7D ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xD3 0xDF 0xEC 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xDC 0x7D 0x75 0x78 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{085C6A7A-42BB-4ED9-8B2A-B9DF3399F17D}@ReusableType 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 10
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@es-ES 107
Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 109
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 110
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 12
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1404916693
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}@LeaseObtainedTime 1432925081
Reg HKLM\SYSTEM\CurrentControlSet\Services\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}\Parameters\Tcpip@LeaseObtainedTime 1432925081
Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{da712857-c08b-4588-a532-1267e5630c15}@LastProbeTime 1432932483
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}@T1 1433054681
Reg HKLM\SYSTEM\CurrentControlSet\Services\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}\Parameters\Tcpip@T1 1433054681
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}@T2 1433151881
Reg HKLM\SYSTEM\CurrentControlSet\Services\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}\Parameters\Tcpip@T2 1433151881
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}@LeaseTerminatesTime 1433184281
Reg HKLM\SYSTEM\CurrentControlSet\Services\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}\Parameters\Tcpip@LeaseTerminatesTime 1433184281
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 1848
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 1848 1854
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 1849
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 1860
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 1861
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 18633
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 365
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 443962743
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 4521682
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 4a0723e4-2b0e-4596-9836-d067833
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 54
Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 800
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???=??????N??>??????????????{f3c5e28e-63f6-49c7-a204-e48a1bc4b09d}???????>?>??????R??>??????????????%SystemRoot%\system32\drivers\fltmgr.sys????? ???????????????????>?#?????? ?N?g???????????????????????N??>??????????????{e595f735-b42a-494b-afcd-b68666945cd3}???????>?>??????B??>??????????????%SystemRoot%\system32\mpssvc.dll????? ???????????????????>?#?????? ?N?h???????????????????N??>??????????????{dea07764-0790-44de-b9c4-49677b17174f}??Ev???>?>??????<??>???i??????????%SystemRoot%\system32\fms.dll???? ???????????????????>?#?????? ?N?i?'?????????????????????????N??>??????????????{538cbbad-4877-4eb2-b26e-7caee8f0f8cb}?V?????>?>??????D??>??????????????%SystemRoot%\system32\fdphost.dll???? ???????????????????>?#?????? ?X?j?%?????????????????????????N??>??????????????{55ab77f6-fa04-43ef-af45-688fbf500482}?ntL???>?>??????X??>???i??????????%SystemRoot%\system32\drivers\msgpioclx.sys?????? ???????????????????>?#?????? ?N?k?????????????????y?????N??>??????????????{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}???????>?>??????@
Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?vi.?, ?may. ?29 ?15, 08:50:14?????????????????????????????????
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{085C6A7A-42BB-4ED9-8B2A-B9DF3399F17D}\Connection@Name Reusable ISATAP Interface {085C6A7A-42BB-4ED9-8B2A-B9DF3399F17D}
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{085C6A7A-42BB-4ED9-8B2A-B9DF3399F17D}@InterfaceName Reusable ISATAP Interface {085C6A7A-42BB-4ED9-8B2A-B9DF3399F17D}
---- Threads - GMER 2.1 ----
Thread C:\WINDOWS\system32\svchost.exe [1548:3560] 00007fff39881b70
Thread C:\WINDOWS\system32\svchost.exe [1548:3536] 00007fff39c54440
Thread C:\WINDOWS\system32\svchost.exe [1548:3540] 00007fff40f41600
Thread C:\WINDOWS\system32\csrss.exe [596:632] fffff960009be2d0
---- EOF - GMER 2.1 ----
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-05-29 21:24:33
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002a WDC_WD6400AAKS-22A7B2 rev.01.03B01 596,17GB
Running: gmer.exe; Driver: C:\Users\Ismael\AppData\Local\Temp\kwldapow.sys
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- Files - GMER 2.1 ----
File C:\Users\Ismael\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt 0 bytes
---- Processes - GMER 2.1 ----
Library C:\Users\Ismael\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\dbghelp.dll (*** suspicious ***) @ C:\Users\Ismael\AppData\Local\Temp\{907A1104-E812-4b5c-959B-E4DAB37A96AB}\Install.exe [3236] (Windows Image Helper/Microsoft Corporation)(2015-05-29 18:53:39) 0000000003000000
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\SDScannerService@ServiceWebPortFileScannerActive 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SDScannerService@ServiceWebPortFirewallActive 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SDUpdateService@ServiceWebPortActive 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x06 0x1B 0xE8 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\ACR0064LEF080014210_27_07D8_14^6742D576E8B376F69DE478D074E6BE99@Timestamp 0x39 0x11 0xC6 0x7A ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0x4C 0x96 0xE8 0x6E ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x4E 0x78 0x78 0x78 ...
Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ...
Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified 0x80 0x65 0xA0 0x7D ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xD3 0xDF 0xEC 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xDC 0x7D 0x75 0x78 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{085C6A7A-42BB-4ED9-8B2A-B9DF3399F17D}@ReusableType 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 10
Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@es-ES 107
Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 109
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 110
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 12
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1404916693
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}@LeaseObtainedTime 1432925081
Reg HKLM\SYSTEM\CurrentControlSet\Services\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}\Parameters\Tcpip@LeaseObtainedTime 1432925081
Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{da712857-c08b-4588-a532-1267e5630c15}@LastProbeTime 1432932483
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}@T1 1433054681
Reg HKLM\SYSTEM\CurrentControlSet\Services\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}\Parameters\Tcpip@T1 1433054681
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}@T2 1433151881
Reg HKLM\SYSTEM\CurrentControlSet\Services\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}\Parameters\Tcpip@T2 1433151881
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}@LeaseTerminatesTime 1433184281
Reg HKLM\SYSTEM\CurrentControlSet\Services\{D0DE6CB9-1CE3-4564-8022-2A8994DE884D}\Parameters\Tcpip@LeaseTerminatesTime 1433184281
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 1848
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 1848 1854
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 1849
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 1860
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 1861
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 18633
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 2
Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 365
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 443962743
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 4521682
Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 4a0723e4-2b0e-4596-9836-d067833
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 54
Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 800
Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???=??????N??>??????????????{f3c5e28e-63f6-49c7-a204-e48a1bc4b09d}???????>?>??????R??>??????????????%SystemRoot%\system32\drivers\fltmgr.sys????? ???????????????????>?#?????? ?N?g???????????????????????N??>??????????????{e595f735-b42a-494b-afcd-b68666945cd3}???????>?>??????B??>??????????????%SystemRoot%\system32\mpssvc.dll????? ???????????????????>?#?????? ?N?h???????????????????N??>??????????????{dea07764-0790-44de-b9c4-49677b17174f}??Ev???>?>??????<??>???i??????????%SystemRoot%\system32\fms.dll???? ???????????????????>?#?????? ?N?i?'?????????????????????????N??>??????????????{538cbbad-4877-4eb2-b26e-7caee8f0f8cb}?V?????>?>??????D??>??????????????%SystemRoot%\system32\fdphost.dll???? ???????????????????>?#?????? ?X?j?%?????????????????????????N??>??????????????{55ab77f6-fa04-43ef-af45-688fbf500482}?ntL???>?>??????X??>???i??????????%SystemRoot%\system32\drivers\msgpioclx.sys?????? ???????????????????>?#?????? ?N?k?????????????????y?????N??>??????????????{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}???????>?>??????@
Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?vi.?, ?may. ?29 ?15, 08:50:14?????????????????????????????????
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{085C6A7A-42BB-4ED9-8B2A-B9DF3399F17D}\Connection@Name Reusable ISATAP Interface {085C6A7A-42BB-4ED9-8B2A-B9DF3399F17D}
Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{085C6A7A-42BB-4ED9-8B2A-B9DF3399F17D}@InterfaceName Reusable ISATAP Interface {085C6A7A-42BB-4ED9-8B2A-B9DF3399F17D}
---- Threads - GMER 2.1 ----
Thread C:\WINDOWS\system32\svchost.exe [1548:3560] 00007fff39881b70
Thread C:\WINDOWS\system32\svchost.exe [1548:3536] 00007fff39c54440
Thread C:\WINDOWS\system32\svchost.exe [1548:3540] 00007fff40f41600
Thread C:\WINDOWS\system32\csrss.exe [596:632] fffff960009be2d0
---- EOF - GMER 2.1 ----