GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-09 15:29:32 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e WDC_WD10JPVX-22JC3T0 rev.01.01A01 931,51GB Running: 8i8qowpe.exe; Driver: C:\Users\Marek\AppData\Local\Temp\ugldypow.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Soluto\SolutoService.exe[1672] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ff9d9af169a 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\Soluto\SolutoService.exe[1672] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ff9d9af16a2 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\Soluto\SolutoService.exe[1672] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ff9d9af181a 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\Soluto\SolutoService.exe[1672] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ff9d9af1832 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1832] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ff9d9af169a 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1832] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ff9d9af16a2 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1832] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ff9d9af181a 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[1832] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ff9d9af1832 4 bytes [AF, D9, F9, 7F] .text c:\program files\soluto\soluto.exe[3044] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ff9d9af169a 4 bytes [AF, D9, F9, 7F] .text c:\program files\soluto\soluto.exe[3044] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ff9d9af16a2 4 bytes [AF, D9, F9, 7F] .text c:\program files\soluto\soluto.exe[3044] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ff9d9af181a 4 bytes [AF, D9, F9, 7F] .text c:\program files\soluto\soluto.exe[3044] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ff9d9af1832 4 bytes [AF, D9, F9, 7F] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[3268] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff9ba2f1f6a 4 bytes [2F, BA, F9, 7F] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[3268] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff9ba2f1f82 4 bytes [2F, BA, F9, 7F] .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[2664] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ff9d9af169a 4 bytes [AF, D9, F9, 7F] .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[2664] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ff9d9af16a2 4 bytes [AF, D9, F9, 7F] .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[2664] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ff9d9af181a 4 bytes [AF, D9, F9, 7F] .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[2664] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ff9d9af1832 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\CCleaner\CCleaner64.exe[4428] C:\WINDOWS\system32\USER32.dll!ShowScrollBar 00007ff9d9391130 5 bytes JMP 00007ff959400018 .text C:\Program Files\CCleaner\CCleaner64.exe[4428] C:\WINDOWS\system32\USER32.dll!SetScrollInfo 00007ff9d939a6cc 5 bytes JMP 00007ff9593b0018 .text C:\Program Files\CCleaner\CCleaner64.exe[4428] C:\WINDOWS\system32\USER32.dll!GetScrollInfo 00007ff9d93a2dec 5 bytes JMP 00007ff9593c0018 .text C:\Program Files\CCleaner\CCleaner64.exe[4428] C:\WINDOWS\system32\USER32.dll!SetScrollRange 00007ff9d93b2964 5 bytes JMP 00007ff9593d0018 .text C:\Program Files\CCleaner\CCleaner64.exe[4428] C:\WINDOWS\system32\USER32.dll!GetScrollPos 00007ff9d93ca8c4 5 bytes JMP 00007ff9593f0018 .text C:\Program Files\CCleaner\CCleaner64.exe[4428] C:\WINDOWS\system32\USER32.dll!EnableScrollBar 00007ff9d93cab28 5 bytes JMP 00007ff9593e0018 .text C:\Program Files\CCleaner\CCleaner64.exe[4428] C:\WINDOWS\system32\USER32.dll!SetScrollPos 00007ff9d93cb2a0 5 bytes JMP 00007ff959440018 .text C:\Program Files\CCleaner\CCleaner64.exe[4428] C:\WINDOWS\system32\USER32.dll!GetScrollRange 00007ff9d9419f30 5 bytes JMP 00007ff959430018 .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[3460] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff9d9af169a 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[3460] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff9d9af16a2 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[3460] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff9d9af181a 4 bytes [AF, D9, F9, 7F] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[3460] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff9d9af1832 4 bytes [AF, D9, F9, 7F] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [596:604] fffff96000979b90 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@SystemStartOptions NOEXECUTE=OPTIN NOVGA SAFEBOOT:NETWORK BOOTLOG NOGUIBOOT BOOTLOGO Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x1A 0x9A 0x00 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xDB 0x5E 0x05 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x1E 0x3D 0x40 0x1F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x56 0x57 0xA5 0x1E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-US 31 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD04300_00_07DD_EA^E75FB64C9936A079130011C6227F6613@Timestamp 0xB3 0x4E 0x96 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 576 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{7BC7BFAD-174E-4B32-AEEE-4810C6B9C294}\Connection@Name Reusable ISATAP Interface {7BC7BFAD-174E-4B32-AEEE-4810C6B9C294} Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment@SAFEBOOT_OPTION NETWORK Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900014 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -418798554 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 36 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 475749128 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 1873 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 1870 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 48b9b3af-530f-4bb6-b6a0-de67861 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 6 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\28e3476b9a87 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b8ee65e1a1c5 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{2f69a0e1-8db9-499d-8391-a7aafd1507fb}@LastProbeTime 1465481586 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{7BC7BFAD-174E-4B32-AEEE-4810C6B9C294}@InterfaceName Reusable ISATAP Interface {7BC7BFAD-174E-4B32-AEEE-4810C6B9C294} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{7BC7BFAD-174E-4B32-AEEE-4810C6B9C294}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Cz?, ?cze ?09 ?16, 01:59:11??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1141 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 551 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 31 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE206719-A197-41A1-BA98-DFD12485DD7A}@LeaseObtainedTime 1465476185 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE206719-A197-41A1-BA98-DFD12485DD7A}@T1 1465477985 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE206719-A197-41A1-BA98-DFD12485DD7A}@T2 1465479335 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE206719-A197-41A1-BA98-DFD12485DD7A}@LeaseTerminatesTime 1465479785 Reg HKLM\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters\Interfaces\{DE206719-A197-41A1-BA98-DFD12485DD7A}@Dhcpv6State 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 7606 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 7607 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 7440 7446 7456 7466 7486 7530 7540 7578 7584 7600 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8856F961-340A-11D0-A96B-00C04FD705A2}\iexplore@Count 9 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore@Count 41 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Count 5 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Blocked 5 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Grid@Logo100 %USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer\TileCacheLogo-519960609_100.dat Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 4239 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x8B 0xF2 0x1F 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x8B 0xF2 0x1F 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 194682 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 24208 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x8B 0xF2 0x1F 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 1027987 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 61154 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x8B 0xF2 0x1F 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63601071064447%3bID%3dC109F28B470037B!837%3bLR%3d63601071064667%3bEP%3d5%3bSI%3d21%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x89 0x91 0xFE 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x59 0x37 0x3A 0x08 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 16 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----