GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-25 14:10:24 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GT00 698.64GB Running: lcw423de.exe; Driver: C:\Users\Renatka\AppData\Local\Temp\ffldqfoc.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [4344] entry point in ".rdata" section 0000000072d71310 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4344] entry point in ".rdata" section 000000007255a020 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [4344] entry point in ".rdata" section 000000007252c940 ? C:\Windows\System32\OneCoreUAPCommonProxyStub.dll [4344] entry point in ".rdata" section 0000000066fb7ec0 ? C:\WINDOWS\system32\apphelp.dll [320] entry point in ".rdata" section 000000007249f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [320] entry point in ".rdata" section 0000000072d71310 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [320] entry point in ".rdata" section 000000007255a020 ? C:\WINDOWS\system32\ncryptsslp.dll [320] entry point in ".rdata" section 000000006fe804f0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [320] entry point in ".rdata" section 000000006e4d8fc0 ? C:\Windows\System32\srpapi.dll [320] entry point in ".rdata" section 0000000068bb6100 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [320] entry point in ".rdata" section 000000006834da90 ? C:\WINDOWS\SYSTEM32\PhotoMetadataHandler.dll [320] entry point in ".rdata" section 0000000068305d20 ? C:\Windows\System32\ieproxy.dll [320] entry point in ".rdata" section 00000000682b9520 .text C:\Program Files\CCleaner\CCleaner64.exe[4624] C:\WINDOWS\System32\win32u.dll!NtUserShowScrollBar 00007ffa45b61830 5 bytes JMP 00007ff9c5b80018 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6592] entry point in ".rdata" section 0000000072d71310 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [6592] entry point in ".rdata" section 000000006834da90 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6592] entry point in ".rdata" section 000000007255a020 ? C:\WINDOWS\system32\ncryptsslp.dll [6592] entry point in ".rdata" section 000000006fe804f0 ? C:\WINDOWS\SYSTEM32\srpapi.dll [6592] entry point in ".rdata" section 0000000068bb6100 ? C:\Windows\System32\ieproxy.dll [6592] entry point in ".rdata" section 00000000682b9520 ? C:\Windows\System32\ActXPrxy.dll [6592] entry point in ".rdata" section 0000000068d59b80 ? C:\WINDOWS\System32\apphelp.dll [6592] entry point in ".rdata" section 000000007249f7c0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4188] entry point in ".rdata" section 000000007255a020 ? C:\WINDOWS\system32\apphelp.dll [6000] entry point in ".rdata" section 000000007249f7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [8b48ccfffc89e0e9] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetStartupInfoW] [480003038115ffcf] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!IsProcessorFeaturePresent] [29e990d7ff084b8d] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetModuleHandleW] [ffcf8b48ccfffc8a] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetCurrentProcess] [cb8b480003036b15] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!TerminateProcess] [fffc8a72e990d7ff] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!ExitProcess] [85058d4c10498b48] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!FreeLibrary] [53ba000654] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetModuleHandleExW] [fdc6e3e820247489] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetProcAddress] [48fffc8ab4e990ff] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!MultiByteToWideChar] [3b490008183a0d8b] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!WideCharToMultiByte] [74011c41f61f74ce] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetLastError] [58d4c10498b4819] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!HeapFree] [54ba00065454] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!SetLastError] [7de9900000c117e8] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!InitializeCriticalSectionAndSpinCount] [15ffcb8b48fffc8a] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!TlsAlloc] [84f8d48000302ec] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!TlsGetValue] [fffc8a89e990d3ff] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!TlsSetValue] [302d715ffcf8b48] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!TlsFree] [90d7ff084b8d4800] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!LoadLibraryExW] [8d48ccfffc8aefe9] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!LCMapStringW] [d8b48000817c305] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetUserDefaultLCID] [74c83b48000817bc] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!IsValidCodePage] [ba1574011c41f61b] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetACP] [9d058d4c0000000f] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetOEMCP] [e810498b48000656] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetCPInfo] [7000ebbfffdc604] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetEnvironmentStringsW] [8d48fffc8be8e980] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!FreeEnvironmentStringsW] [d8b480008178b05] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetProcessHeap] [fc83b4800081784] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!UnhandledExceptionFilter] [1c41f6fffc8bd184] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetFileType] [bafffc8bc7840f01] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetCommandLineA] [20245c8900000010] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetCommandLineW] [4800065659058d4c] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetStringTypeW] [4800081749058d48] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!SetStdHandle] [3b48000817420d8b] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!WriteFile] [74011c41f61b74c8] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!FlushFileBuffers] [8d4c0000000aba15] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetConsoleCP] [498b480006748b05] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetConsoleMode] [ebbfffdc58ae810] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!OutputDebugStringA] [fffc8c6ee9800700] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!CloseHandle] [4800081711058d48] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!SetFilePointerEx] [3b480008170a0d8b] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!WriteConsoleW] [f6fffc8c57840fc8] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!CreateFileW] [fc8c4d840f011c41] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!RtlUnwindEx] [5c890000000bbaff] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!RtlPcToFileHeader] [fffc8c2ee990fffd] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!RaiseException] [8c30e980004003b8] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!VirtualFree] [816c7058d48fffc] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!VirtualAlloc] [816c00d8b4800] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!VirtualQuery] [1c41f61b74c83b48] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetSystemInfo] [12ba157401] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetFileAttributesW] [4800067409058d4c] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!FindResourceW] [fffdc508e810498b] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!LoadResource] [8cd3e98007000ebf] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!LockResource] [e980004003b8fffc] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!SizeofResource] [66e9ff33fffc8cd5] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetUserGeoID] [167e358d48fffc8d] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetVersionExW] [816770d8b480008] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!VirtualProtect] [41f61b74ce3b4800] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetEnvironmentVariableW] [673c0058d4c00] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetSystemTime] [fdc4bfe810498b48] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!IsDebuggerPresent] [16460d8b48fffc8d] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!RtlVirtualUnwind] [81840fce3b480008] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!RtlLookupFunctionEntry] [f011c41f6fffc8d] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!RtlCaptureContext] [21bafffc8d7784] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [58d4c2024448900] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetCurrentThreadId] [10498b480006737c] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetCurrentProcessId] [4ae990fffdc4afe8] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!GetStdHandle] [16060d8b48fffc8d] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[KERNEL32.dll!QueryPerformanceCounter] [41840fce3b480008] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[ntdll.dll!RtlMultiByteToUnicodeN] [3d15ffce8b48ccff] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[ntdll.dll!RtlGetVersion] [1ba000300] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[ADVAPI32.dll!RegOpenKeyExW] [ad15ffcf8b48fffc] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[ADVAPI32.dll!RegQueryValueExW] [ff084b8d48000303] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[ADVAPI32.dll!RegCloseKey] [ccfffc8939e990d7] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[USER32.dll!GetSystemMetrics] [cb8b4808588b4807] IAT C:\Program Files\Windows Defender\NisSrv.exe[5080] @ C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E0E32D59-7005-409B-A6F5-33BE02FDDEFA}\GapaEngine.dll[WINTRUST.dll!WinVerifyTrust] [d3ffcf8b48000000] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [692:904] ffffa2bafcb36c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ?????????????????????????q?L?3?????????L???????????????????????????????????????????????????????????????L???????????????????????????L???????????L???L???L???????????????L???????L?????:?????????????????L??????????????????????????????????????????????????????????????????? ???L??? ???????????O???????S???????????????????????S??????? ??????? ???????S???T??? ??? ?????A???????????????????????????????????????????????????C?????????????????????????????T???????????????T???????????????T????%SystemRoot%\system32\LogFiles\WMI\RtBackup\*.*?????????????????????????????????????????????????????????????\System Volume Information\FVE2.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.*????????????????????\System Volume Information\FVE2.{c9ca54a3-6983-46b7-8684-a7e5e23499e3}??????????????????????\System Volume Information\FVE2.{24e6f0ae-6a00-4f73-984b-75ce9942852d}????????????????????e?????\System Volume Information\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}??????? ??????????????o???\System Volume Information\FVE2.{aff97bac-a69b-45da-aba1-2c Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1322942599 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\9cb70ddef72e Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 284 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x32 0xB0 0x17 0x78 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x32 0x18 0xDC 0xD9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x32 0x48 0x53 0x16 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- EOF - GMER 2.2 ----