GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-02 08:30:31 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SanDisk_ rev.Z220 223,57GB Running: gheejks9.exe; Driver: C:\Users\TC\AppData\Local\Temp\uxtoipob.sys ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\svchost.exe [528:1068] 00007ff89526f950 Thread C:\WINDOWS\system32\svchost.exe [528:1072] 00007ff89526ed20 Thread C:\WINDOWS\system32\svchost.exe [528:1084] 00007ff895068ae0 Thread C:\WINDOWS\system32\svchost.exe [1160:3064] 00007ff889601a50 Thread C:\WINDOWS\system32\svchost.exe [1160:3724] 00007ff888fa41f0 Thread C:\WINDOWS\system32\svchost.exe [1160:5084] 00007ff87f961040 Thread C:\WINDOWS\system32\svchost.exe [1160:5096] 00007ff887b648e0 Thread C:\WINDOWS\system32\svchost.exe [1160:5100] 00007ff887b648e0 Thread C:\WINDOWS\system32\svchost.exe [1160:7120] 00007ff8642e0ed0 Thread C:\WINDOWS\system32\svchost.exe [1160:6628] 00007ff8642ccb00 Thread C:\WINDOWS\system32\svchost.exe [1160:1132] 00007ff863fe32d0 Thread C:\WINDOWS\system32\svchost.exe [1160:4268] 00007ff864046380 Thread C:\WINDOWS\system32\svchost.exe [1160:9692] 00007ff863f578e0 Thread C:\WINDOWS\system32\svchost.exe [1160:7792] 00007ff86407c8c0 Thread C:\WINDOWS\system32\svchost.exe [1160:7796] 00007ff864080bf0 Thread C:\WINDOWS\system32\svchost.exe [1160:10348] 00007ff8914130f0 Thread C:\WINDOWS\system32\svchost.exe [1160:9764] 00007ff888fa41f0 Thread C:\WINDOWS\system32\svchost.exe [1160:2324] 00007ff886b67ac0 Thread C:\WINDOWS\system32\svchost.exe [1160:11152] 00007ff886b67ac0 Thread C:\WINDOWS\system32\svchost.exe [1160:4320] 00007ff870d8e990 Thread C:\WINDOWS\system32\svchost.exe [1160:7548] 00007ff870d8e990 Thread C:\WINDOWS\system32\svchost.exe [1160:13300] 00007ff870d8e990 Thread C:\WINDOWS\system32\svchost.exe [1160:13436] 00007ff870db4560 Thread C:\WINDOWS\system32\svchost.exe [1160:4288] 00007ff870d8e990 Thread C:\WINDOWS\system32\svchost.exe [1160:12104] 00007ff870db4560 Thread C:\WINDOWS\system32\svchost.exe [1160:14416] 00007ff886b67ac0 Thread C:\WINDOWS\system32\svchost.exe [1160:13544] 00007ff8888550a0 Thread C:\WINDOWS\system32\svchost.exe [1160:7200] 00007ff886b67ac0 Thread C:\WINDOWS\System32\svchost.exe [1212:1972] 00007ff88fd24e70 Thread C:\WINDOWS\System32\svchost.exe [1212:1996] 00007ff88fcf9400 Thread C:\WINDOWS\System32\svchost.exe [1212:2000] 00007ff88fd42f90 Thread C:\WINDOWS\System32\svchost.exe [1212:1304] 00007ff88f5f4310 Thread C:\WINDOWS\System32\svchost.exe [1212:2708] 00007ff88fb92e00 Thread C:\WINDOWS\System32\svchost.exe [1212:3536] 00007ff888942af0 Thread C:\WINDOWS\System32\svchost.exe [1212:3540] 00007ff888942a40 Thread C:\WINDOWS\System32\svchost.exe [1212:5888] 00007ff888935c80 Thread C:\WINDOWS\System32\svchost.exe [1212:7980] 00007ff88a585b60 Thread C:\WINDOWS\System32\svchost.exe [1212:7072] 00007ff88663dbe0 Thread C:\WINDOWS\System32\svchost.exe [1212:3196] 00007ff88663dbe0 Thread C:\WINDOWS\System32\svchost.exe [1212:5204] 00007ff88663dbe0 Thread C:\WINDOWS\System32\svchost.exe [1212:5580] 00007ff88c8da5e0 Thread C:\WINDOWS\System32\svchost.exe [1212:852] 00007ff89134aee0 Thread C:\WINDOWS\System32\svchost.exe [1212:9556] 00007ff88893fdf0 Thread C:\WINDOWS\System32\svchost.exe [1212:13644] 00007ff8887651d0 Thread C:\WINDOWS\System32\svchost.exe [1212:5956] 00007ff8887672d0 Thread C:\WINDOWS\system32\svchost.exe [1252:1472] 00007ff893d54260 Thread C:\WINDOWS\system32\svchost.exe [1252:1584] 00007ff8930aa770 Thread C:\WINDOWS\system32\svchost.exe [1252:4984] 00007ff89018a880 Thread C:\WINDOWS\system32\svchost.exe [1252:4900] 00007ff8901838e0 Thread C:\WINDOWS\system32\svchost.exe [1252:15116] 00007ff893d5bce0 Thread C:\WINDOWS\system32\svchost.exe [1252:3360] 00007ff893d5bce0 Thread C:\WINDOWS\system32\svchost.exe [1252:11472] 00007ff893d5bce0 Thread C:\WINDOWS\system32\svchost.exe [1252:1156] 00007ff87f838a80 Thread C:\WINDOWS\system32\svchost.exe [1252:9928] 00007ff88c8da5e0 Thread C:\WINDOWS\system32\svchost.exe [1252:10968] 00007ff87f819040 Thread C:\WINDOWS\system32\svchost.exe [1252:3392] 00007ff88b5199e0 Thread C:\WINDOWS\system32\svchost.exe [1252:8896] 00007ff891312cf0 Thread C:\WINDOWS\system32\svchost.exe [1252:11768] 00007ff87ecb1670 Thread C:\WINDOWS\system32\svchost.exe [1252:8156] 00007ff8889e5bc0 Thread C:\WINDOWS\system32\svchost.exe [1340:3432] 00007ff88901af40 Thread C:\WINDOWS\system32\svchost.exe [1340:3516] 00007ff88901ca00 Thread C:\WINDOWS\system32\svchost.exe [1340:4516] 00007ff8810e1240 Thread C:\WINDOWS\system32\svchost.exe [1340:4520] 00007ff88571a3b0 Thread C:\WINDOWS\system32\svchost.exe [1340:4536] 00007ff8806025e0 Thread C:\WINDOWS\system32\svchost.exe [1340:5600] 00007ff87d843bc0 Thread C:\WINDOWS\system32\svchost.exe [1340:9628] 00007ff87d842080 Thread C:\Windows\System32\WUDFHost.exe [1416:1604] 00007ff89371bfac Thread C:\WINDOWS\system32\svchost.exe [1480:2588] 00007ff88b5199e0 Thread C:\WINDOWS\system32\svchost.exe [1480:2592] 00007ff891312cf0 Thread C:\WINDOWS\system32\svchost.exe [1480:80] 00007ff88f37fc10 Thread C:\WINDOWS\system32\svchost.exe [1480:14872] 00007ff890e22a20 Thread C:\WINDOWS\system32\svchost.exe [1480:4316] 00007ff890e22610 Thread C:\WINDOWS\System32\svchost.exe [1632:576] 00007ff87f732f80 Thread C:\WINDOWS\System32\svchost.exe [1632:600] 00007ff87f721a10 Thread C:\WINDOWS\system32\svchost.exe [1640:1776] 00007ff8914b2a30 Thread C:\WINDOWS\system32\svchost.exe [1640:4460] 00007ff8889e5bc0 Thread C:\WINDOWS\system32\svchost.exe [1640:4464] 00007ff8889f7d70 Thread C:\WINDOWS\system32\svchost.exe [1640:2880] 00007ff87f8eb180 Thread C:\WINDOWS\system32\svchost.exe [1640:4084] 00007ff87f8ef5f0 Thread C:\WINDOWS\system32\svchost.exe [1640:428] 00007ff88b23e0b0 Thread C:\WINDOWS\system32\svchost.exe [1640:4884] 00007ff88b23e0b0 Thread C:\WINDOWS\system32\svchost.exe [2116:2208] 00007ff88cf2e830 Thread C:\WINDOWS\system32\svchost.exe [2116:2240] 00007ff88ca510a0 Thread C:\WINDOWS\system32\svchost.exe [2116:2308] 00007ff88c8da5e0 Thread C:\WINDOWS\system32\svchost.exe [2116:2580] 00007ff89134aee0 Thread C:\WINDOWS\system32\svchost.exe [2116:2612] 00007ff891312cf0 Thread C:\WINDOWS\system32\svchost.exe [2116:2900] 00007ff88b3c5bd0 Thread C:\WINDOWS\system32\svchost.exe [2116:2908] 00007ff88b3c9b20 Thread C:\WINDOWS\system32\svchost.exe [2116:2916] 00007ff891312cf0 Thread C:\WINDOWS\system32\svchost.exe [2116:5680] 00007ff88c8da5e0 Thread C:\WINDOWS\system32\svchost.exe [2288:2496] 00007ff88b8644b0 Thread C:\WINDOWS\system32\svchost.exe [2288:2716] 00007ff896126750 Thread C:\WINDOWS\System32\spoolsv.exe [2348:2296] 00007ff8889e5bc0 Thread C:\WINDOWS\System32\spoolsv.exe [2348:2300] 00007ff886d02740 Thread C:\WINDOWS\system32\dashost.exe [2868:4260] 00007ff8914130f0 Thread C:\WINDOWS\system32\svchost.exe [3012:3028] 00007ff89a603db0 Thread C:\WINDOWS\system32\svchost.exe [2372:3736] 00007ff8884258c0 Thread C:\WINDOWS\system32\svchost.exe [2372:3752] 00007ff8884258c0 Thread C:\WINDOWS\System32\svchost.exe [2436:4148] 00007ff888512980 Thread C:\WINDOWS\System32\svchost.exe [2436:4152] 00007ff888512990 Thread C:\WINDOWS\System32\svchost.exe [2436:4160] 00007ff88851fb00 Thread C:\WINDOWS\System32\svchost.exe [2436:4172] 00007ff88851fb60 Thread C:\WINDOWS\System32\svchost.exe [2436:4180] 00007ff88851fb30 Thread C:\WINDOWS\System32\svchost.exe [2436:4184] 00007ff88851fb50 Thread C:\WINDOWS\System32\svchost.exe [2436:4192] 00007ff88851fb40 Thread C:\WINDOWS\system32\svchost.exe [3144:3588] 00007ff89a603db0 Thread C:\WINDOWS\system32\svchost.exe [3144:3700] 00007ff888111e20 Thread C:\WINDOWS\system32\svchost.exe [3144:3708] 00007ff8880f16b0 Thread C:\WINDOWS\system32\svchost.exe [3144:3712] 00007ff8880f16b0 Thread C:\WINDOWS\system32\svchost.exe [3144:3716] 00007ff8880f16b0 Thread C:\WINDOWS\system32\svchost.exe [3144:3720] 00007ff8880f16b0 Thread C:\WINDOWS\system32\svchost.exe [3144:4028] 00007ff8884258c0 Thread C:\WINDOWS\system32\svchost.exe [3144:4032] 00007ff88813e870 Thread C:\WINDOWS\system32\svchost.exe [3144:4212] 00007ff89a603db0 Thread C:\WINDOWS\system32\svchost.exe [3144:4228] 00007ff888143c60 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3644] 00007ff89a603db0 Thread C:\WINDOWS\system32\mqsvc.exe [3176:4048] 00007ff888a4dd10 Thread C:\WINDOWS\system32\mqsvc.exe [3176:2856] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3268] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:2508] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3452] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3416] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:2516] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3440] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3240] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3200] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3744] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3600] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3556] 00007ff888dea050 Thread C:\WINDOWS\system32\mqsvc.exe [3176:3728] 00007ff888de9790 Thread C:\WINDOWS\system32\mqsvc.exe [3176:4280] 00007ff8864e79e0 Thread C:\WINDOWS\system32\mqsvc.exe [3176:4284] 00007ff888dbabc0 Thread C:\WINDOWS\system32\mqsvc.exe [3176:4304] 00007ff888da6d70 Thread C:\WINDOWS\System32\tcpsvcs.exe [3316:3648] 00007ff89a603db0 Thread C:\WINDOWS\SysWOW64\SecUPDUtilSvc.exe [3324:3576] 0000000077036140 Thread C:\WINDOWS\system32\svchost.exe [3376:11808] 00007ff8889e5bc0 Thread C:\WINDOWS\system32\svchost.exe [3376:14500] 00007ff886d02740 Thread C:\WINDOWS\system32\svchost.exe [3384:13468] 00007ff899f15900 Thread C:\WINDOWS\system32\svchost.exe [3384:10248] 00007ff88663dbe0 Thread C:\WINDOWS\system32\svchost.exe [3384:4340] 00007ff88663dbe0 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4204:4348] 00007ff8859dd840 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4204:4352] 00007ff8858f0250 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4204:4540] 00007ff880741b50 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4204:4712] 00007ff8858f0250 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4388:4404] 00007ff8859dd840 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4388:4408] 00007ff8858f0250 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4388:4548] 00007ff880741b50 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [5512:5748] 00007ff87dde7944 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [5512:5776] 00007ff87dcabeb4 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [5512:7244] 00007ff87dcabeb4 Thread C:\WINDOWS\system32\SearchIndexer.exe [6552:7148] 00007ff8745a4320 Thread C:\WINDOWS\system32\wbem\wmiprvse.exe [5872:4504] 00007ff887b648e0 Thread C:\WINDOWS\system32\sihost.exe [3304:2080] 00007ff88ae72240 Thread C:\WINDOWS\system32\sihost.exe [3304:4908] 000000018009d534 Thread C:\WINDOWS\system32\svchost.exe [7612:6800] 00007ff88663dbe0 Thread C:\WINDOWS\system32\svchost.exe [7612:8892] 00007ff88663dbe0 Thread C:\WINDOWS\system32\taskhostw.exe [6252:6756] 00007ff88c331ba0 Thread C:\WINDOWS\system32\taskhostw.exe [6252:7952] 00007ff88f1c1160 Thread C:\WINDOWS\system32\taskhostw.exe [6252:9768] 00007ff88f1c1a20 Thread C:\WINDOWS\system32\taskhostw.exe [6252:4168] 00007ff89a99b600 Thread C:\WINDOWS\system32\taskhostw.exe [6252:6388] 00007ff88027a3b0 Thread C:\WINDOWS\system32\taskhostw.exe [6252:8960] 00007ff88b287930 Thread C:\WINDOWS\system32\taskhostw.exe [6252:13572] 00007ff88b287930 Thread C:\WINDOWS\system32\taskhostw.exe [6252:14524] 00007ff88b287930 Thread C:\WINDOWS\system32\taskhostw.exe [6252:1412] 00007ff8949230f0 Thread C:\WINDOWS\system32\taskhostw.exe [6252:13348] 00007ff88663dbe0 Thread C:\WINDOWS\system32\taskhostw.exe [6252:11232] 00007ff88663dbe0 Thread C:\WINDOWS\system32\taskhostw.exe [6252:3972] 000000018009d534 Thread C:\Windows\System32\RuntimeBroker.exe [10492:6008] 00007ff8911e1ba0 Thread C:\Windows\System32\RuntimeBroker.exe [10492:1224] 00007ff8948d2880 Thread C:\Windows\System32\RuntimeBroker.exe [10492:1108] 00007ff88c8da5e0 Thread C:\Windows\System32\RuntimeBroker.exe [10492:2228] 00007ff891312cf0 Thread C:\Windows\System32\RuntimeBroker.exe [10492:12364] 00007ff890bdbb70 Thread C:\Windows\System32\RuntimeBroker.exe [10492:4232] 00007ff891312cf0 Thread C:\Windows\System32\RuntimeBroker.exe [10492:452] 00007ff891312cf0 Thread C:\Windows\System32\RuntimeBroker.exe [10492:6484] 0000027ab231d534 Thread C:\WINDOWS\system32\taskhostw.exe [10816:5508] 00007ff8888d0610 Thread C:\WINDOWS\system32\taskhostw.exe [10816:14452] 000000018009d534 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:8832] 00007ff899f15900 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:9980] 00007ff88ed348e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:11324] 00007ff897cf59c0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:3140] 00007ff8790b3890 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:10032] 00007ff897cf70d0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:11008] 00007ff89041e010 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:13304] 00007ff8954411a0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:2260] 00007ff899f15900 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:5868] 00007ff89a7fb310 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:15240] 00007ff86d46cca0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:11092] 00007ff86d4eabb0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:8920] 00007ff86d4aa030 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:9984] 00007ff86d4eabb0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:14456] 00007ff89a7fb310 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:12824] 00007ff89a7fb310 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:8692] 00007ff86d4f2630 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:12904] 00007ff88d5c8390 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:9456] 00007ff89738a1e0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:8164] 00007ff88ed32a60 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:15320] 00007ff86d4eabb0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:10780] 00007ff86d4eabb0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:6208] 00007ff86d4eabb0 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:11484] 00000257d5d6d534 Thread C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe [1240:14060] 00007ff878f79ce0 Thread C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [10620:860] 00007ff895c75110 Thread C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [10620:5020] 000000018009d534 Thread C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [10620:1040] 00007ff899f15900 Thread C:\WINDOWS\system32\DllHost.exe [1904:12776] 00007ff899f15900 Thread C:\WINDOWS\System32\Taskmgr.exe [12780:10292] 00007ff88d5c8390 Thread C:\WINDOWS\SYSTEM32\notepad.exe [6228:13720] 000000018009d534 Thread C:\WINDOWS\SYSTEM32\notepad.exe [4772:8052] 000000018009d534 Thread C:\WINDOWS\SYSTEM32\notepad.exe [14144:5408] 000000018009d534 Thread C:\WINDOWS\SYSTEM32\notepad.exe [14144:13904] 00007ff899f15900 Thread C:\WINDOWS\SYSTEM32\notepad.exe [14144:6196] 00007ff88d5c8390 ---- EOF - GMER 2.2 ----