GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-14 00:24:11 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 HGST_HTS541010A9E680 rev.JA0OA560 931,51GB Running: 51ev8d2w.exe; Driver: C:\Users\Arni556\AppData\Local\Temp\uxldrpod.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2000] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2000] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2000] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe[2000] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe[1280] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe[1280] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe[1280] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe[1280] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\mfevtps.exe[2156] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\mfevtps.exe[2156] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\mfevtps.exe[2156] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\mfevtps.exe[2156] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\mfevtps.exe[2164] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\mfevtps.exe[2164] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\mfevtps.exe[2164] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\mfevtps.exe[2164] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\Program Files\McAfee\MSC\McAPExe.exe[3172] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\McAfee\MSC\McAPExe.exe[3172] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Program Files\McAfee\MSC\McAPExe.exe[3172] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\McAfee\MSC\McAPExe.exe[3172] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[5156] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[5156] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[5156] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[5156] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\CSP\1.9.656.0\McCSPServiceHost.exe[6396] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\CSP\1.9.656.0\McCSPServiceHost.exe[6396] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\CSP\1.9.656.0\McCSPServiceHost.exe[6396] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\CSP\1.9.656.0\McCSPServiceHost.exe[6396] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe[7984] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe[7984] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe[7984] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe[7984] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\Program Files\mcafee\VirusScan\mcods.exe[3836] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\mcafee\VirusScan\mcods.exe[3836] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Program Files\mcafee\VirusScan\mcods.exe[3836] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\mcafee\VirusScan\mcods.exe[3836] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\nvvsvc.exe[7580] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\nvvsvc.exe[7580] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\nvvsvc.exe[7580] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Windows\system32\nvvsvc.exe[7580] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\PROGRA~1\COMMON~1\McAfee\Platform\mcuicnt.exe[5320] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\PROGRA~1\COMMON~1\McAfee\Platform\mcuicnt.exe[5320] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\PROGRA~1\COMMON~1\McAfee\Platform\mcuicnt.exe[5320] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\PROGRA~1\COMMON~1\McAfee\Platform\mcuicnt.exe[5320] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] .text C:\Program Files\CCleaner\CCleaner64.exe[6796] C:\Windows\system32\USER32.dll!ShowScrollBar 00007ffff4e71130 5 bytes JMP 00007fff74ee0018 .text C:\Program Files\CCleaner\CCleaner64.exe[6796] C:\Windows\system32\USER32.dll!SetScrollInfo 00007ffff4e7a6cc 5 bytes JMP 00007fff74e90018 .text C:\Program Files\CCleaner\CCleaner64.exe[6796] C:\Windows\system32\USER32.dll!GetScrollInfo 00007ffff4e82dfc 5 bytes JMP 00007fff74ea0018 .text C:\Program Files\CCleaner\CCleaner64.exe[6796] C:\Windows\system32\USER32.dll!SetScrollRange 00007ffff4e92954 5 bytes JMP 00007fff74eb0018 .text C:\Program Files\CCleaner\CCleaner64.exe[6796] C:\Windows\system32\USER32.dll!GetScrollPos 00007ffff4eaa8f0 5 bytes JMP 00007fff74ed0018 .text C:\Program Files\CCleaner\CCleaner64.exe[6796] C:\Windows\system32\USER32.dll!EnableScrollBar 00007ffff4eaab60 5 bytes JMP 00007fff74ec0018 .text C:\Program Files\CCleaner\CCleaner64.exe[6796] C:\Windows\system32\USER32.dll!SetScrollPos 00007ffff4eab2c4 5 bytes JMP 00007fff74f20018 .text C:\Program Files\CCleaner\CCleaner64.exe[6796] C:\Windows\system32\USER32.dll!GetScrollRange 00007ffff4ef9f84 5 bytes JMP 00007fff74f10018 .text C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe[7468] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffff325169a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe[7468] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffff32516a2 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe[7468] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffff325181a 4 bytes [25, F3, FF, 7F] .text C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe[7468] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffff3251832 4 bytes [25, F3, FF, 7F] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [9128:8988] fffff9600089a2d0 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso30win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [6464] 000000006e870000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [6464] 000000006e250000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso98win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [6464] 000000006ecf0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso99Lwin32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [6464] 0000000069330000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [6464] 0000000068530000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE [6464] 0000000062800000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 980419833 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28c2dd1b2b36 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28c2dd1b2b36@20d3908c1ff4 0x3B 0x4D 0x16 0xAA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-17-10-87-fc-cc@ClientLocalPort 53957 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-17-10-87-fc-cc@AddressCreationTimestamp 0x09 0xB1 0x46 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-17-10-87-fc-cc@TeredoAddress 2001:0:9d38:6abd:3c30:2d3a:a296:8d6c Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3283 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 787 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 93 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xB7 0x74 0x90 0x96 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xB7 0x74 0x90 0x96 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xB7 0x74 0x90 0x96 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 81 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xB7 0x74 0x90 0x96 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x15 0x74 0x63 0x49 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 2 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----