GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-26 20:44:58 Windows 6.2.9200 x64 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP1T0L0-1 TOSHIBA_THNSNJ256GCST rev.JTRA0102 238.47GB Running: 0d4o8j13.exe; Driver: C:\Users\Olga\AppData\Local\Temp\uwldapog.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\wship6.dll [2680] entry point in ".rdata" section 00000000717d24b0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2680] entry point in ".rdata" section 000000006e028fa0 ? C:\WINDOWS\SYSTEM32\wship6.dll [5052] entry point in ".rdata" section 00000000717d24b0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [5052] entry point in ".rdata" section 0000000063d2bc40 ? C:\WINDOWS\SYSTEM32\wship6.dll [4956] entry point in ".rdata" section 00000000717d24b0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4956] entry point in ".rdata" section 000000006e7bcaf0 ? C:\WINDOWS\SYSTEM32\srpapi.dll [4956] entry point in ".rdata" section 0000000063fb2a90 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4956] entry point in ".rdata" section 0000000063a5bb10 ? C:\Windows\SYSTEM32\mfwmaaec.dll [4956] entry point in ".rdata" section 0000000062c03540 ? C:\WINDOWS\SYSTEM32\Windows.Networking.HostName.dll [4732] entry point in ".rdata" section 0000000062733090 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [6640] entry point in ".rdata" section 000000006e028fa0 ? C:\WINDOWS\system32\apphelp.dll [6788] entry point in ".rdata" section 00000000664c0380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [656:708] fffff96135724060 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ?????????????????????????????q?n?3?????????????n???????????????????????????????????????????????????????????????n??? ???????n???????????n???????????n???n???n?????????????? o???????o?????:?????????????o???o???????????????????????????????????????????????????????????????????????o???????????q???????q???????u???????????????????????u???????????????????????u?????????????A?????????????????????????????u???????????????????v?C?????????????????????????????????????????????v???????????!???v????\System Volume Information\FVE2.{c9ca54a3-6983-46b7-8684-a7e5e23499e3}??????\System Volume Information\FVE2.{24e6f0ae-6a00-4f73-984b-75ce9942852d}??????\System Volume Information\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}??????\System Volume Information\FVE2.{aff97bac-a69b-45da-aba1-2cfbce434750}.*????? ??????????????????\System Volume Information\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}.*???????????????????l????\System Volume Information\FVE.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.*??????????????\???g??\System Volume Information\ Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xD5 0x35 0x96 0xD9 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xED 0x2B 0xB4 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xD5 0x35 0x96 0xD9 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xED 0x2B 0xB4 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 38 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\IVM56060598382402320_18_07D8_C0^43D3D5B8B26BDE77CF852B1CED3957E8@Timestamp 0x68 0xE1 0x24 0xDA ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 776 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\Olga\AppData\Local\Temp\TeamViewer\update.exe??\??\C:\Users\Olga\AppData\Local\Temp\DEL7865.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CCA.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CDB.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CDC.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CDD.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CDE.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CDF.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CE0.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CE1.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CE2.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CE3.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CE4.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL7CE5.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL62E0.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL676E.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL676F.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL677F.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL6780.tmp??\??\C:\Users\Olga\AppData\Local\Temp\DEL6781.tmp??\??\C:\Users\ Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -301148539 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@DeleteTempDirsOnExit 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID d316f533-ce28-438a-a2c9-aa04d3c Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITS_s Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{e507c4e9-fd50-42e0-a67e-dc16b24413db}@LastProbeTime 1458847948 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{0562E773-E752-44DD-8F37-789E33029182}@DefunctTimestamp 0xBB 0x40 0xF4 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0xC1 0x15 0xC3 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3418 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 155 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 37 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7362572f-4c8d-4f60-8607-8effe443b3a1}@LeaseObtainedTime 1458847947 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7362572f-4c8d-4f60-8607-8effe443b3a1}@T1 1459193547 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7362572f-4c8d-4f60-8607-8effe443b3a1}@T2 1459452747 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7362572f-4c8d-4f60-8607-8effe443b3a1}@LeaseTerminatesTime 1459539147 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x21 0x66 0x6D 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x21 0xCE 0x31 0x41 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x21 0xFE 0xA8 0x7D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xBF 0x17 0x72 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters\Wdf@TimeOfLastTelemetryLog 0x77 0xD5 0x62 0x2F ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\62\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 117 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband@FavoritesRemovedChanges 70 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 808 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsBandwidthBucketDrainTime 0x71 0x97 0xDB 0xAA ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x87 0xF7 0xC2 0xB2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x87 0xF7 0xC2 0xB2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 423 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherBandwidthBucketDrainTime 0x71 0x97 0xDB 0xAA ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 55 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x87 0xF7 0xC2 0xB2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 55 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x87 0xF7 0xC2 0xB2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x0F 0xEA 0x9E 0x43 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 20 ---- EOF - GMER 2.2 ----