GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-19 00:31:27 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 Intel___ rev.1.0. 238,48GB Running: GMER.exe; Driver: C:\Users\Kamilo\AppData\Local\Temp\uwldqpog.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2984] entry point in ".rdata" section 000000007199a020 ? C:\WINDOWS\system32\ncryptsslp.dll [2984] entry point in ".rdata" section 00000000728a04f0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4420] entry point in ".rdata" section 000000007199a020 ? C:\WINDOWS\system32\ncryptsslp.dll [4420] entry point in ".rdata" section 00000000728a04f0 .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[9004] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryExW 00007ffe94309bf0 5 bytes JMP 00007ffe926f0f0e .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[9004] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryExA 00007ffe9430ec40 5 bytes JMP 00007ffe926f0f4e .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[9004] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryW 00007ffe9430ed90 5 bytes JMP 00007ffe926f0f8e .text C:\Program Files\Logitech\SetPointP\SetPoint.exe[9004] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryA 00007ffe9430f610 5 bytes JMP 00007ffe926f0fce .text C:\Program Files\Windows Defender\MSASCuiL.exe[6188] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryExW 00007ffe94309bf0 5 bytes JMP 00007ffe92c80f0e .text C:\Program Files\Windows Defender\MSASCuiL.exe[6188] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryExA 00007ffe9430ec40 5 bytes JMP 00007ffe92c80f4e .text C:\Program Files\Windows Defender\MSASCuiL.exe[6188] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryW 00007ffe9430ed90 5 bytes JMP 00007ffe92c80f8e .text C:\Program Files\Windows Defender\MSASCuiL.exe[6188] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryA 00007ffe9430f610 5 bytes JMP 00007ffe92c80fce ? C:\WINDOWS\SYSTEM32\iertutil.dll [9924] entry point in ".rdata" section 0000000069293150 .text C:\Program Files\CCleaner\CCleaner64.exe[8580] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryExW 00007ffe94309bf0 5 bytes JMP 00007ffe92c80f0e .text C:\Program Files\CCleaner\CCleaner64.exe[8580] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryExA 00007ffe9430ec40 5 bytes JMP 00007ffe92c80f4e .text C:\Program Files\CCleaner\CCleaner64.exe[8580] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryW 00007ffe9430ed90 5 bytes JMP 00007ffe92c80f8e .text C:\Program Files\CCleaner\CCleaner64.exe[8580] C:\WINDOWS\System32\KERNEL32.DLL!LoadLibraryA 00007ffe9430f610 5 bytes JMP 00007ffe92c80fce ? C:\WINDOWS\system32\wbem\wbemsvc.dll [9376] entry point in ".rdata" section 0000000072478fc0 ? C:\WINDOWS\system32\apphelp.dll [8704] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [900] entry point in ".rdata" section 0000000072478fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [900] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [7216] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7216] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7216] entry point in ".rdata" section 000000007199a020 ? C:\WINDOWS\SYSTEM32\atlthunk.dll [7216] entry point in ".data" section 00000000709f4290 ? C:\WINDOWS\system32\apphelp.dll [7224] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7224] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [7240] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7240] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [7360] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7360] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7360] entry point in ".rdata" section 000000007199a020 ? C:\Windows\System32\mfh264enc.dll [7360] entry point in ".rdata" section 000000005c8c4e30 ? C:\WINDOWS\system32\apphelp.dll [7464] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7464] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [7504] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7504] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [9892] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9892] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [9868] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9868] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [9344] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9344] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [8524] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8524] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [628] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [628] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [7120] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7120] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [2648] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2648] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [8976] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8976] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [8896] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8896] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [3856] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [3856] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [4960] entry point in ".rdata" section 000000007208f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4960] entry point in ".rdata" section 0000000069293150 ? C:\WINDOWS\system32\apphelp.dll [4248] entry point in ".rdata" section 000000007208f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [700:752] ffffb6b1a01a6c20 Thread C:\WINDOWS\Explorer.EXE [5020:8128] 00007ffe85dc20e0 Thread C:\WINDOWS\system32\conhost.exe [3056:3024] 00007ffe7005a3e0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x02 0x86 0x50 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xBE 0xF3 0x30 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x7D 0xE8 0x52 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xBE 0xF3 0x30 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 106 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SDC4C480_00_07DC_F8^960251D697DACC5E89D0687BFCAB137A@Timestamp 0xC0 0xCB 0x71 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 796 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 2710669 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1442789069 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 106 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 502185284 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 4237 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 4195 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 95898692-39e9-4d75-8a8f-82743df Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\acpipagr\Parameters\Wdf@TimeOfLastTelemetryLog 0x64 0x40 0x0B 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@1008 0x09 0x72 0x94 0x7C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS3c7a918a-5f81-4c14-9a48-4cd7537b25db Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000000005aad Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\3468950dd2c4 Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0x0F 0x2D 0xF8 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x1A 0xF3 0xDD 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{da1455cc-5941-43f9-9f76-96138e8e46d1}@LastProbeTime 1492552146 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x06 0xEF 0x46 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastTelemetryLog 0xBF 0xCA 0xF5 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{9CDFC3EC-2FE0-469D-A0F3-EA10552B7B76}@InterfaceName Reusable ISATAP Interface {9CDFC3EC-2FE0-469D-A0F3-EA10552B7B76} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{9CDFC3EC-2FE0-469D-A0F3-EA10552B7B76}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MEIx64\Parameters\Wdf@TimeOfLastTelemetryLog 0xE3 0xDE 0xE9 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0x9B 0x9B 0x6F 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog 0x15 0xFB 0x23 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x64 0x40 0x0B 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 6091 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 863 Reg HKLM\SYSTEM\CurrentControlSet\Services\SmbDrvI\Parameters\Wdf@TimeOfLastTelemetryLog 0xBF 0xCA 0xF5 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 105 Reg HKLM\SYSTEM\CurrentControlSet\Services\ssdevfactory\Parameters\Wdf@TimeOfLastTelemetryLog 0x64 0x40 0x0B 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sshid\Parameters\Wdf@TimeOfLastTelemetryLog 0x74 0x32 0xC6 0x68 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\ssps2\Parameters\Wdf@TimeOfLastTelemetryLog 0xBF 0xCA 0xF5 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 474 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters\Wdf@TimeOfLastTelemetryLog 0xBF 0xCA 0xF5 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6af5e6a6-a081-4a74-acdd-6debd103226e}@LeaseObtainedTime 1492552147 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6af5e6a6-a081-4a74-acdd-6debd103226e}@T1 1492553947 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6af5e6a6-a081-4a74-acdd-6debd103226e}@T2 1492555297 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6af5e6a6-a081-4a74-acdd-6debd103226e}@LeaseTerminatesTime 1492555747 Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0x1A 0xF3 0xDD 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog 0x93 0x71 0x5A 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog 0x42 0x41 0xEC 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog 0x7F 0x5D 0x26 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastTelemetryLog 0x94 0xAC 0x54 0x68 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xD5 0x10 0xD2 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xD5 0x78 0x96 0x60 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xD5 0xA8 0x0D 0x9D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 28574 28580 28592 28602 28612 28632 28676 28686 28724 28730 28746 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 28752 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 28753 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 28574 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 28575 Reg HKLM\SYSTEM\Maps@LastMapUpdateCheck 0xD1 0xFC 0x10 0xB2 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications@TimestampWhenSeen 0x47 0x07 0xF7 0xD4 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0xDD 0x33 0xF0 0x0D ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----