GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-14 14:24:38 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 WDC_WD10JPVX-60JC3T0 rev.01.01A01 931,51GB Running: i08kuqwv.exe; Driver: C:\Users\Andrzej\AppData\Local\Temp\uwtyapow.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [6376] entry point in ".rdata" section 0000000073b9f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6376] entry point in ".rdata" section 00000000733d00e0 ? C:\WINDOWS\system32\apphelp.dll [11796] entry point in ".rdata" section 0000000073b9f7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Windows Sidebar\sidebar.exe[6476] @ C:\Program Files\Windows Sidebar\sidebar.exe[USER32.dll!TrackPopupMenu] [7ffb3dbcbb60] C:\Program Files\Windows Sidebar\dwmapi.dll IAT C:\Program Files\Windows Sidebar\sidebar.exe[6476] @ C:\Program Files\Windows Sidebar\sidebar.exe[dwmapi.dll!DwmUpdateThumbnailProperties] [7ffb3dbc4360] C:\Program Files\Windows Sidebar\dwmapi.dll IAT C:\Program Files\Windows Sidebar\sidebar.exe[6476] @ C:\Program Files\Windows Sidebar\sidebar.exe[dwmapi.dll!DwmSetWindowAttribute] [7ffb3dbc42d0] C:\Program Files\Windows Sidebar\dwmapi.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\svchost.exe [952:576] 00007ffb58bdfaa0 Thread C:\WINDOWS\system32\svchost.exe [952:604] 00007ffb58bdee70 Thread C:\WINDOWS\system32\svchost.exe [952:720] 00007ffb589089f0 Thread C:\WINDOWS\system32\svchost.exe [912:1576] 00007ffb56874310 Thread C:\WINDOWS\system32\svchost.exe [912:2188] 00007ffb51fd5b60 Thread C:\WINDOWS\system32\svchost.exe [912:2600] 00007ffb4d312af0 Thread C:\WINDOWS\system32\svchost.exe [912:2604] 00007ffb4d312a40 Thread C:\WINDOWS\system32\svchost.exe [912:4044] 00007ffb4d30fdf0 Thread C:\WINDOWS\system32\svchost.exe [912:4984] 00007ffb4d305c80 Thread C:\WINDOWS\system32\svchost.exe [912:6820] 00007ffb51d7c820 Thread C:\WINDOWS\system32\svchost.exe [912:7460] 00007ffb51d7c820 Thread C:\WINDOWS\system32\svchost.exe [912:6160] 00007ffb51d7c820 Thread C:\WINDOWS\system32\svchost.exe [912:9868] 00007ffb4c0d64e0 Thread C:\WINDOWS\system32\svchost.exe [252:8900] 00007ffb3711b030 Thread C:\WINDOWS\system32\svchost.exe [1048:1288] 00007ffb573e4250 Thread C:\WINDOWS\system32\svchost.exe [1048:1304] 00007ffb573ebcd0 Thread C:\WINDOWS\system32\svchost.exe [1048:1308] 00007ffb573ebcd0 Thread C:\WINDOWS\system32\svchost.exe [1048:1312] 00007ffb573ebcd0 Thread C:\WINDOWS\system32\svchost.exe [1048:1316] 00007ffb56ffa770 Thread C:\WINDOWS\system32\svchost.exe [1048:4876] 00007ffb506d9620 Thread C:\WINDOWS\system32\svchost.exe [1048:6548] 00007ffb506d2680 Thread C:\WINDOWS\system32\svchost.exe [1048:5028] 00007ffb49af1670 Thread C:\WINDOWS\system32\svchost.exe [1048:8904] 00007ffb4a745bc0 Thread C:\Windows\System32\WUDFHost.exe [1180:2120] 00007ffb52b76f30 Thread C:\Windows\System32\WUDFHost.exe [1180:2132] 00007ffb529bed10 Thread C:\Windows\System32\WUDFHost.exe [1180:2140] 00007ffb52833b60 Thread C:\WINDOWS\System32\svchost.exe [1328:1712] 00007ffb550ec030 Thread C:\WINDOWS\System32\svchost.exe [1328:1740] 00007ffb550e7000 Thread C:\WINDOWS\System32\svchost.exe [1328:1744] 00007ffb550e8370 Thread C:\WINDOWS\System32\svchost.exe [1328:1748] 00007ffb550ead30 Thread C:\WINDOWS\System32\svchost.exe [1328:2300] 00007ffb4fef87e0 Thread C:\WINDOWS\System32\svchost.exe [1328:3804] 00007ffb32ed6800 Thread C:\WINDOWS\System32\svchost.exe [1328:3784] 00007ffb32ed6800 Thread C:\WINDOWS\System32\svchost.exe [1328:3764] 00007ffb32ed6800 Thread C:\WINDOWS\System32\svchost.exe [1328:3756] 00007ffb32ed6800 Thread C:\WINDOWS\System32\svchost.exe [1328:8008] 00007ffb3157c3a0 Thread C:\WINDOWS\System32\svchost.exe [1328:7416] 00007ffb51711470 Thread C:\WINDOWS\System32\svchost.exe [1328:1208] 00007ffb506a2f80 Thread C:\WINDOWS\System32\svchost.exe [1328:8004] 00007ffb50031a10 Thread C:\WINDOWS\System32\svchost.exe [1328:7968] 00007ffb51d7c820 Thread C:\WINDOWS\System32\svchost.exe [1328:6724] 00007ffb51d7c820 Thread C:\WINDOWS\System32\svchost.exe [1328:5404] 00007ffb550ec830 Thread C:\WINDOWS\System32\svchost.exe [1328:6460] 00007ffb550e7d50 Thread C:\WINDOWS\System32\svchost.exe [1328:9952] 00007ffb4f0d2400 Thread C:\WINDOWS\system32\svchost.exe [1424:1948] 00007ffb543b3270 Thread C:\WINDOWS\system32\svchost.exe [1424:1964] 00007ffb53d61040 Thread C:\WINDOWS\system32\svchost.exe [1424:1968] 00007ffb542a48e0 Thread C:\WINDOWS\system32\svchost.exe [1424:1972] 00007ffb542a48e0 Thread C:\WINDOWS\system32\svchost.exe [1424:1992] 00007ffb53c61930 Thread C:\WINDOWS\system32\svchost.exe [1424:1648] 00007ffb53de50c0 Thread C:\WINDOWS\system32\svchost.exe [1424:2884] 00007ffb4b361a50 Thread C:\WINDOWS\system32\svchost.exe [1424:3124] 00007ffb4b4c39b0 Thread C:\WINDOWS\system32\svchost.exe [1424:5936] 00007ffb56da30f0 Thread C:\WINDOWS\system32\svchost.exe [1424:8176] 00007ffb32d60ed0 Thread C:\WINDOWS\system32\svchost.exe [1424:8180] 00007ffb32d4cb00 Thread C:\WINDOWS\system32\svchost.exe [1424:6096] 00007ffb315b32d0 Thread C:\WINDOWS\system32\svchost.exe [1424:6728] 00007ffb32e26380 Thread C:\WINDOWS\system32\svchost.exe [1424:6388] 00007ffb315278e0 Thread C:\WINDOWS\system32\svchost.exe [1424:6204] 00007ffb32e5c8c0 Thread C:\WINDOWS\system32\svchost.exe [1424:4272] 00007ffb32e60bf0 Thread C:\WINDOWS\system32\svchost.exe [1704:3180] 00007ffb4a2c5bc0 Thread C:\WINDOWS\system32\svchost.exe [1704:3188] 00007ffb4a2c9b10 Thread C:\WINDOWS\system32\svchost.exe [1832:2708] 00007ffb535544b0 Thread C:\WINDOWS\system32\svchost.exe [1832:3160] 00007ffb595c6750 Thread C:\WINDOWS\System32\spoolsv.exe [2028:5040] 00007ffb405889fc Thread C:\WINDOWS\System32\spoolsv.exe [2028:5068] 00007ffb4a745bc0 Thread C:\WINDOWS\System32\spoolsv.exe [2028:5072] 00007ffb4a722740 Thread C:\WINDOWS\System32\spoolsv.exe [2028:5096] 00007ffb44201180 Thread C:\WINDOWS\System32\spoolsv.exe [2028:5100] 00007ffb40648e40 Thread C:\WINDOWS\System32\spoolsv.exe [2028:4796] 00007ffb3c7ab128 Thread C:\WINDOWS\System32\spoolsv.exe [2028:4792] 00007ffb3c7ab128 Thread C:\WINDOWS\System32\spoolsv.exe [2028:4824] 00007ffb3c7ab128 Thread C:\WINDOWS\System32\spoolsv.exe [2028:4828] 00007ffb3c7ab128 Thread C:\WINDOWS\system32\svchost.exe [1268:2632] 00007ffb4d2baf40 Thread C:\WINDOWS\system32\svchost.exe [1268:2636] 00007ffb4d2bca00 Thread C:\WINDOWS\system32\svchost.exe [1268:2772] 00007ffb4b391240 Thread C:\WINDOWS\system32\svchost.exe [1268:2896] 00007ffb4b46a3b0 Thread C:\WINDOWS\system32\svchost.exe [1268:2816] 00007ffb4a9d25e0 Thread C:\WINDOWS\system32\svchost.exe [1268:584] 00007ffb4f6c3bc0 Thread C:\WINDOWS\system32\svchost.exe [1268:4320] 00007ffb4f6c2080 Thread C:\WINDOWS\system32\svchost.exe [2824:2976] 00007ffb4aa258c0 Thread C:\WINDOWS\system32\svchost.exe [2824:2992] 00007ffb4aa258c0 Thread C:\WINDOWS\system32\svchost.exe [3244:3316] 00007ffb4999b180 Thread C:\WINDOWS\system32\svchost.exe [3244:3320] 00007ffb4999f5f0 Thread C:\WINDOWS\system32\svchost.exe [3244:3680] 00007ffb4a745bc0 Thread C:\WINDOWS\system32\svchost.exe [3244:3684] 00007ffb4a757d70 Thread C:\WINDOWS\system32\svchost.exe [3244:10880] 00007ffb499b6130 Thread C:\WINDOWS\system32\taskhostw.exe [4136:4296] 00007ffb482e1ba0 Thread C:\WINDOWS\system32\taskhostw.exe [4136:4304] 00007ffb4f261160 Thread C:\WINDOWS\system32\taskhostw.exe [4136:4352] 00007ffb4f261a20 Thread C:\WINDOWS\system32\taskhostw.exe [4136:4356] 00007ffb5d5eb560 Thread C:\WINDOWS\system32\taskhostw.exe [4136:4636] 00007ffb4397a3b0 Thread C:\WINDOWS\system32\taskhostw.exe [4136:4656] 00007ffb586b30f0 Thread C:\WINDOWS\system32\taskhostw.exe [4136:4660] 00007ffb421e7930 Thread C:\WINDOWS\system32\taskhostw.exe [4136:4664] 00007ffb421e7930 Thread C:\WINDOWS\system32\taskhostw.exe [4136:4668] 00007ffb421e7930 Thread C:\WINDOWS\system32\taskhostw.exe [4136:5092] 00007ffb51d7c820 Thread C:\WINDOWS\system32\taskhostw.exe [4136:5108] 00007ffb51d7c820 Thread C:\WINDOWS\Explorer.EXE [4548:1152] 00007ffb59acfaa0 Thread C:\WINDOWS\Explorer.EXE [4548:6216] 00007ffb37f5bb70 Thread C:\WINDOWS\Explorer.EXE [4548:6588] 00007ffb3dbcc130 Thread C:\WINDOWS\Explorer.EXE [4548:3888] 00007ffb347f36f0 Thread C:\WINDOWS\Explorer.EXE [4548:10076] 00007ffb348020e0 Thread C:\Windows\System32\RuntimeBroker.exe [844:6008] 00007ffb3df01ba0 Thread C:\Windows\System32\RuntimeBroker.exe [844:6020] 00007ffb5a9aa1e0 Thread C:\Windows\System32\RuntimeBroker.exe [844:9224] 00007ffb5a9aa1e0 Thread C:\Windows\System32\RuntimeBroker.exe [844:9656] 00007ffb464f0040 Thread C:\Windows\System32\RuntimeBroker.exe [844:1532] 00007ffb5a9aa1e0 Thread C:\Windows\System32\RuntimeBroker.exe [844:5396] 00007ffb464f0040 Thread C:\Program Files\Windows Sidebar\sidebar.exe [6476:6840] 00007ffb3d2a0ad0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [6476:6844] 00007ffb3d2a0ad0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [6476:6848] 00007ffb3d2a0ad0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [6476:6852] 00007ffb3d2a0ad0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [6476:6856] 00007ffb3d2a0ad0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [6476:6860] 00007ffb3d2a0ad0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [6476:6864] 00007ffb3d2a0ad0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [6476:6868] 00007ffb3d2a0ad0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1152183879 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\184f322a5566 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\184f322a5566@083d885a0e9f 0xD0 0xA9 0xCB 0x18 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x8E 0xCC 0x8D 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x8E 0x34 0x52 0x4C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x8E 0x64 0xC9 0x88 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:4D454930-0100-1000-8001-20C6EBB71FE5\Interfaces\{d0875fb4-2196-4c7a-a63d-e416addd60a1}\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x02 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:4D454930-0100-1000-8001-20C6EBB71FE5\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x02 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds E7CF176E110C211B? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x66 0xFB 0x1F 0x99 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{B8E76AF0-CC52-48ED-8845-09BA8C52B592}@LastAccessedTime 0xC0 0xF5 0xFD 0x01 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{B8E76AF0-CC52-48ED-8845-09BA8C52B592}@LaunchCount 4 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----