GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-07 08:35:58 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001b WDC_WD10JPCX-24UE4T0 rev.01.01A01 931.51GB Running: sl98drq6.exe; Driver: C:\Users\Paulina2\AppData\Local\Temp\uwldqpog.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\svchost.exe [1068:1200] 00007fff9935f950 Thread C:\WINDOWS\system32\svchost.exe [1068:1204] 00007fff9935ed20 Thread C:\WINDOWS\system32\svchost.exe [1068:1268] 00007fff991f8ae0 Thread [1232:1588] 00007fff98fb1270 Thread [1232:1612] 00007fff98d46380 Thread [1232:1616] 00007fff98f14780 Thread [1232:1732] 00007fff98d46400 Thread [1232:1852] 00007fff98cb2040 Thread [1232:1856] 00007fff98cb20f0 Thread [1232:1860] 00007fff98cb2190 Thread [1232:2036] 00007fff950cea60 Thread [1232:7932] 00007fff9e782800 Thread [1232:6460] 00007fff9e782800 Thread C:\WINDOWS\system32\svchost.exe [1276:3788] 00007fff88881040 Thread C:\WINDOWS\system32\svchost.exe [1276:3792] 00007fff88c948e0 Thread C:\WINDOWS\system32\svchost.exe [1276:3796] 00007fff88c948e0 Thread C:\WINDOWS\system32\svchost.exe [1276:13396] 00007fff80891730 Thread C:\WINDOWS\system32\svchost.exe [1276:10992] 00007fff8d7bdbe0 Thread C:\WINDOWS\system32\svchost.exe [1276:3616] 00007fff8d7bdbe0 Thread C:\WINDOWS\system32\svchost.exe [1276:10036] 00007fff8d7bdbe0 Thread C:\WINDOWS\system32\svchost.exe [1276:13324] 00007fff7e830c20 Thread C:\WINDOWS\system32\svchost.exe [1276:7420] 00007fff7e830c20 Thread C:\WINDOWS\system32\svchost.exe [1276:13256] 00007fff7e830c20 Thread C:\WINDOWS\system32\svchost.exe [1276:8488] 00007fff7e830c20 Thread C:\WINDOWS\system32\svchost.exe [1284:1092] 00007fff963b4310 Thread C:\WINDOWS\system32\svchost.exe [1284:2788] 00007fff91072af0 Thread C:\WINDOWS\system32\svchost.exe [1284:2792] 00007fff91072a40 Thread C:\WINDOWS\system32\svchost.exe [1284:5636] 00007fff91065c80 Thread C:\WINDOWS\system32\svchost.exe [1284:5524] 00007fff9106fdf0 Thread C:\WINDOWS\system32\svchost.exe [1284:7668] 00007fff8d7bdbe0 Thread C:\WINDOWS\system32\svchost.exe [1284:2128] 00007fff8d7bdbe0 Thread C:\WINDOWS\system32\svchost.exe [1284:8104] 00007fff8d7bdbe0 Thread C:\WINDOWS\system32\svchost.exe [1284:9572] 00007fff785751d0 Thread C:\WINDOWS\system32\svchost.exe [1284:3928] 00007fff785772d0 Thread C:\WINDOWS\system32\svchost.exe [1332:1848] 00007fff9645a770 Thread C:\WINDOWS\system32\svchost.exe [1332:3816] 00007fff88aba880 Thread C:\WINDOWS\system32\svchost.exe [1332:3824] 00007fff88ab38e0 Thread C:\WINDOWS\system32\svchost.exe [1332:9780] 00007fff8f6e9040 Thread C:\WINDOWS\system32\svchost.exe [1332:6404] 00007fff8da099e0 Thread C:\WINDOWS\system32\svchost.exe [1332:10800] 00007fff94572cf0 Thread C:\WINDOWS\system32\svchost.exe [1332:9432] 00007fff8f1c5bc0 Thread C:\WINDOWS\system32\svchost.exe [1700:2284] 00007fff99d26750 Thread C:\WINDOWS\system32\svchost.exe [1700:2324] 00007fff99d26750 Thread C:\WINDOWS\system32\svchost.exe [1700:2636] 00007fff99d26750 Thread C:\WINDOWS\system32\svchost.exe [1700:2800] 00007fff9147c5a0 Thread C:\WINDOWS\system32\svchost.exe [1700:2864] 00007fff91956cf0 Thread C:\WINDOWS\system32\svchost.exe [1700:2904] 00007fff9147eab0 Thread C:\WINDOWS\system32\svchost.exe [1700:2908] 00007fff9147d2d0 Thread C:\WINDOWS\system32\svchost.exe [1700:2912] 00007fff9147e100 Thread C:\WINDOWS\system32\svchost.exe [1700:4840] 00007fff8367af40 Thread C:\WINDOWS\system32\svchost.exe [1700:4844] 00007fff8367ca00 Thread C:\WINDOWS\system32\svchost.exe [1700:2980] 00007fff80dd3bc0 Thread C:\WINDOWS\system32\svchost.exe [1700:4208] 00007fff831e1240 Thread C:\WINDOWS\system32\svchost.exe [1700:4244] 00007fff832ca3b0 Thread C:\WINDOWS\system32\svchost.exe [1700:4316] 00007fff831b25e0 Thread C:\WINDOWS\system32\svchost.exe [1700:6632] 00007fff80dd2080 Thread C:\WINDOWS\system32\svchost.exe [1784:2936] 00007fff8da099e0 Thread C:\WINDOWS\system32\svchost.exe [1784:2996] 00007fff94572cf0 Thread C:\WINDOWS\system32\svchost.exe [1784:3100] 00007fff78ddb030 Thread C:\WINDOWS\System32\svchost.exe [1964:1996] 00007fff9635f050 Thread C:\WINDOWS\System32\svchost.exe [1964:2588] 00007fff910e4e90 Thread C:\WINDOWS\System32\svchost.exe [1964:3436] 00007fff8d7bdbe0 Thread C:\WINDOWS\System32\svchost.exe [1964:3448] 00007fff8d7bdbe0 Thread C:\WINDOWS\System32\svchost.exe [1964:4036] 00007fff962230f0 Thread C:\WINDOWS\System32\svchost.exe [1964:2876] 00007fff911c2400 Thread C:\WINDOWS\system32\svchost.exe [1672:2052] 00007fff93a1e830 Thread C:\WINDOWS\system32\svchost.exe [1672:2072] 00007fff938810a0 Thread C:\WINDOWS\system32\svchost.exe [1672:3008] 00007fff94572cf0 Thread C:\WINDOWS\system32\svchost.exe [1672:3120] 00007fff8dd25bd0 Thread C:\WINDOWS\system32\svchost.exe [1672:3128] 00007fff8dd29b20 Thread C:\WINDOWS\system32\svchost.exe [1672:3132] 00007fff94572cf0 Thread C:\WINDOWS\system32\svchost.exe [2088:2852] 00007fff9bd7b310 Thread C:\WINDOWS\system32\svchost.exe [2088:2892] 00007fff8e8a44b0 Thread C:\WINDOWS\system32\svchost.exe [2088:2952] 00007fff99d26750 Thread C:\WINDOWS\System32\spoolsv.exe [2208:5400] 00007fff8f1c5bc0 Thread C:\WINDOWS\System32\spoolsv.exe [2208:5940] 00007fff8ef62740 Thread C:\WINDOWS\System32\spoolsv.exe [2208:2816] 00007fff8fe11180 Thread C:\WINDOWS\System32\spoolsv.exe [2208:5112] 00007fff86bd8e40 Thread C:\WINDOWS\System32\spoolsv.exe [2208:5496] 00007fff8f5f17c0 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2752:2928] 00007fff8dee8380 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2752:3076] 00007fff8deeb130 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2752:3084] 00007fff8dee8380 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2752:3088] 00007fff8dee8380 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2752:3112] 00007fff8dee8380 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2752:3212] 00007fff8a75502c Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2752:4972] 00007fff8dee8380 Thread C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2752:11320] 00007fff8dee8380 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4264] 00007fff98601160 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4280] 00007fff97431ba0 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4296] 00007fff98601a20 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4300] 00007fff9c00b600 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4596] 00007fff964fa3b0 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4616] 00007fff872e7930 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4620] 00007fff872e7930 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4624] 00007fff872e7930 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4708] 00007fff990430f0 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4512] 00007fff8d7bdbe0 Thread C:\WINDOWS\system32\taskhostw.exe [4020:4720] 00007fff8d7bdbe0 Thread C:\Windows\System32\RuntimeBroker.exe [4636:6220] 00007fff9b64a1e0 Thread C:\Windows\System32\RuntimeBroker.exe [4636:5316] 00007fff82186be0 Thread C:\Windows\System32\RuntimeBroker.exe [4636:11256] 00007fff9b64a1e0 Thread C:\Windows\System32\RuntimeBroker.exe [4636:14112] 00007fff98ff2880 Thread C:\Windows\System32\RuntimeBroker.exe [4636:11640] 00007fff94572cf0 Thread C:\Windows\System32\RuntimeBroker.exe [4636:4812] 00007fff96bbbb70 Thread C:\Windows\System32\RuntimeBroker.exe [4636:8912] 00007fff94572cf0 Thread C:\Windows\System32\RuntimeBroker.exe [4636:9084] 00007fff94572cf0 Thread C:\Windows\System32\RuntimeBroker.exe [4636:13912] 00007fff9b64a1e0 Thread C:\Windows\System32\RuntimeBroker.exe [4636:9656] 00007fff9b64a1e0 Thread C:\Windows\System32\RuntimeBroker.exe [4636:9448] 00007fff9b64a1e0 Thread C:\WINDOWS\Explorer.EXE [4904:4608] 00007fff837163b0 Thread C:\WINDOWS\Explorer.EXE [4904:4804] 00007fff8b7da610 Thread C:\WINDOWS\Explorer.EXE [4904:4744] 00007fff837163b0 Thread C:\WINDOWS\Explorer.EXE [4904:3960] 00007fff837163b0 Thread C:\WINDOWS\Explorer.EXE [4904:3444] 00007fff96bbbb70 Thread C:\WINDOWS\Explorer.EXE [4904:4152] 00007fff990b1ba0 Thread C:\WINDOWS\Explorer.EXE [4904:6264] 00007fff9a33faa0 Thread C:\WINDOWS\Explorer.EXE [4904:5540] 00007fff7990ffd0 Thread C:\WINDOWS\Explorer.EXE [4904:3920] 00007fff837163b0 Thread C:\WINDOWS\Explorer.EXE [4904:6272] 00007fff8c1b5110 Thread C:\WINDOWS\system32\svchost.exe [5952:2104] 00007fff891db180 Thread C:\WINDOWS\system32\svchost.exe [5952:1904] 00007fff891df5f0 Thread C:\WINDOWS\system32\svchost.exe [5952:6996] 00007fff8f1c5bc0 Thread C:\WINDOWS\system32\svchost.exe [5952:6848] 00007fff8f1d7d70 Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:7036] 000000006c5bbf4a Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:6668] 000000006bb303d8 Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:7072] 000000006bb376be Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:6720] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:6768] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:600] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:3864] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:2584] 00000000754257d0 Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:4496] 0000000062390030 Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:5872] 0000000062c011e0 Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:6008] 0000000062c011e0 Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:5272] 0000000062c011e0 Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:4740] 0000000062c011e0 Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:5668] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:5724] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:6756] 0000000066a187bc Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:1356] 0000000066a187bc Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:12976] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:8440] 0000000068fc132b Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:10824] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:11720] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:2112] 000000006554cb06 Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:10740] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:948] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:6560] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:9956] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [7048:6336] 000000006c5ba02c Thread C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE [7460:1152] 000000006bb303d8 Thread C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE [7460:9508] 000000006bb376be Thread C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE [7460:1080] 00000000742e3b70 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso20win32client.dll (*** suspicious ***) @ C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE [7460] 000000006c5a0000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 741415790 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\142d27eff382 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\142d27eff382@72e2460337e2 0x24 0xE1 0xB2 0xE4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7ae13bca-a868-4a31-b564-f41ccde98498}@LeaseObtainedTime 1481082516 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7ae13bca-a868-4a31-b564-f41ccde98498}@T1 1481086116 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7ae13bca-a868-4a31-b564-f41ccde98498}@T2 1481088816 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7ae13bca-a868-4a31-b564-f41ccde98498}@LeaseTerminatesTime 1481089716 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xFA 0xDE 0xCC 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xFA 0x46 0x91 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xFA 0x76 0x08 0x0E ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\4@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\4@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\5@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\5@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\6@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\6@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\7@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\7@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0xAC 0x52 0xA3 0x2A ... ---- Files - GMER 2.2 ---- File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\0C409215F0D4CE62642BD4A56972736AFDF7F656 17883 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\B79F102543BCEEF8E36DADA408A2519AE3BA3C37 11740 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\7F180A92B376FF94B3B6AF196EBB712CA9F917A3 20815 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\4471AC8DA53F514ADBFC3967117606F9F724C7BA 13997 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\6CDA3300546CE3988AA58E8DCC21A80A1A539359 4345 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\4CAD4B556B41F49EEE29946A5F6C092CFEAA617C 16370 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\72007CCF80EA1649E6326B045BF375F2CD9105B3 4361 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\CAD4D2EBA2C1C0BE60F2584B697A4B28328AC9DF 4366 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\62B04AA8488D7521923BB9F290170AEAE0CB1AFF 2038066 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\8CBF3DE4792AFBF225EE8FC3769B45D8ECB275E1 11693 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\F09BF7637989FD6AB331FA65A368A9B1D5D25D77 208293 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\F09F39866E81755D7D9D787013CA7361880FDED9 4426 bytes File C:\Users\Paulina2\AppData\Local\Mozilla\Firefox\Profiles\o56fr96v.default\cache2\entries\96540FB71A4D9CBE62BC26ECA02A5B5CA88C8B5C 4213 bytes ---- EOF - GMER 2.2 ----