GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-12-05 14:28:30
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD15EVDS-63V9B1 rev.01.00A01 1397,27GB
Running: GMER.exe; Driver: C:\Users\Natalia\AppData\Local\Temp\pfldqpow.sys


---- Kernel code sections - GMER 2.1 ----

.text    C:\Windows\System32\win32k.sys!W32pServiceTable                                                                                                              fffff9600019f100 15 bytes [40, A1, F1, 01, C0, E7, 6B, ...]
.text    C:\Windows\System32\win32k.sys!W32pServiceTable + 16                                                                                                         fffff9600019f110 11 bytes [00, 22, FC, FF, C0, DC, CA, ...]

---- Threads - GMER 2.1 ----

Thread   C:\Windows\system32\csrss.exe [556:580]                                                                                                                      fffff960008e02d0
---- Processes - GMER 2.1 ----

Library  C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1812] (GG drive overlay/GG Network S.A.)(2014-04-26 10:48:08)  000000005c080000

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime                                                                                            0x4B 0x17 0xE1 0x29 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime                                                                                        0xF0 0x1A 0x99 0x5D ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime                                                                                               0x4B 0x17 0xE1 0x29 ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime                                                                                           0x61 0xE1 0x9D 0x5D ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL                                                                                        814
Reg      HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SAM0A1DH4MDA07502_2B_07DD_81^F08413AFDDDA3B92B2AE570BC74D95A7@Timestamp                  0xE7 0xCB 0x1B 0x2B ...
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid                                                                                                             664
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations                                                                            \??\C:\Users\Natalia\AppData\Local\Temp\nsa8D50.tmp\g\??\??\C:\Users\Natalia\AppData\Local\Temp\nsa8D50.tmp\System.dll??\??\C:\Users\Natalia\AppData\Local\Temp\nsa8D50.tmp\??
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber                                                                           3900798
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed                                                                            -1285686336
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId                                                            821
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime                                                          459970165
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime                                                                                         14129
Reg      HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID                                                                                             89145a8d-273a-4b74-843d-9e23477
Reg      HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter                                                                               2
Reg      HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter                                                                                        1
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{2ee41a9b-d32d-49f2-9a8b-0edc3ae0794b}@LastProbeTime                                        1449320318
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\AttachState@<tSqă~                                                                                           0
Reg      HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime                                                                              ?So?, ?gru ?05 ?15, 01:08:34???????????????????????????????????
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch                                                                                              6364
Reg      HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch                                                                                             3242
Reg      HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence                                                                                       815
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A0F6D180-9C3C-47B7-9C14-BD73A96BE1F0}@LeaseObtainedTime                                  1449316697
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A0F6D180-9C3C-47B7-9C14-BD73A96BE1F0}@T1                                                 1449359897
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A0F6D180-9C3C-47B7-9C14-BD73A96BE1F0}@T2                                                 1449392297
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A0F6D180-9C3C-47B7-9C14-BD73A96BE1F0}@LeaseTerminatesTime                                1449403097
Reg      HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop                                                                             0
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter                                                                            888
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown                                                                               1

---- Files - GMER 2.1 ----

File     C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e8fcb2dca56ca9f9\Amd64\cdosys.dll.mui                                                       47616 bytes executable
File     C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e8fcb2dca56ca9f9\Amd64\comctl32.dll.mui                                                     5632 bytes executable
File     C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e8fcb2dca56ca9f9\Amd64\comdlg32.dll.mui                                                     51712 bytes executable
File     C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e8fcb2dca56ca9f9\Amd64\fms.dll.mui                                                          13312 bytes executable
File     C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e8fcb2dca56ca9f9\Amd64\mlang.dll.mui                                                        15872 bytes executable
File     C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e8fcb2dca56ca9f9\Amd64\msimsg.dll.mui                                                       80896 bytes executable
File     C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e8fcb2dca56ca9f9\Amd64\msprivs.dll.mui                                                      4608 bytes executable
File     C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e8fcb2dca56ca9f9\Amd64\windows.ui.xaml.dll.mui                                              33792 bytes executable
File     C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e8fcb2dca56ca9f9\Amd64\WWAHost.exe.mui                                                      17408 bytes executable

---- EOF - GMER 2.1 ----