GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-29 00:15:15 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f TOSHIBA_DT01ACA050 rev.MS1OA750 465,76GB Running: hesiv0bz.exe; Driver: C:\Users\Tomasz\AppData\Local\Temp\ugwoipod.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [672:796] ffff87e1a6b36c20 Thread C:\WINDOWS\system32\svchost.exe [900:80] 00007ffdaa01f950 Thread C:\WINDOWS\system32\svchost.exe [900:324] 00007ffdaa01ed20 Thread C:\WINDOWS\system32\svchost.exe [900:340] 00007ffda9e18ae0 Thread C:\WINDOWS\System32\svchost.exe [532:3408] 00007ffda070ac90 Thread C:\WINDOWS\System32\svchost.exe [532:3528] 00007ffda0703590 Thread C:\WINDOWS\System32\svchost.exe [532:3752] 00007ffda1265bc0 Thread C:\WINDOWS\system32\svchost.exe [656:3012] 00007ffda07e39b0 Thread C:\WINDOWS\system32\svchost.exe [656:3084] 00007ffda0591a50 Thread C:\WINDOWS\system32\svchost.exe [656:2388] 00007ffda0d01040 Thread C:\WINDOWS\system32\svchost.exe [656:3080] 00007ffda0e048e0 Thread C:\WINDOWS\system32\svchost.exe [656:3616] 00007ffda0e048e0 Thread C:\WINDOWS\system32\svchost.exe [656:3740] 00007ffd97a31930 Thread C:\WINDOWS\system32\svchost.exe [656:3028] 00007ffd8d61fe40 Thread C:\WINDOWS\system32\svchost.exe [656:6912] 00007ffd8d61fe40 Thread C:\WINDOWS\system32\svchost.exe [656:6292] 00007ffd8d61fe40 Thread C:\WINDOWS\system32\svchost.exe [656:4120] 00007ffd8d625ed0 Thread C:\WINDOWS\system32\svchost.exe [656:6884] 00007ffd8d61fe40 Thread C:\WINDOWS\system32\svchost.exe [656:6188] 00007ffd8d625ed0 Thread C:\WINDOWS\system32\svchost.exe [656:16968] 00007ffda5f87ac0 Thread C:\WINDOWS\system32\svchost.exe [656:16988] 00007ffda5f87ac0 Thread C:\WINDOWS\system32\svchost.exe [1156:2872] 00007ffda0fbaf40 Thread C:\WINDOWS\system32\svchost.exe [1156:2956] 00007ffda0fbca00 Thread C:\WINDOWS\system32\svchost.exe [1156:4056] 00007ffd98121240 Thread C:\WINDOWS\system32\svchost.exe [1156:4060] 00007ffd9815a3b0 Thread C:\WINDOWS\system32\svchost.exe [1156:4064] 00007ffd980f25e0 Thread C:\WINDOWS\system32\svchost.exe [1156:4376] 00007ffd91c03bc0 Thread C:\WINDOWS\system32\svchost.exe [1156:10460] 00007ffd91c02080 Thread C:\WINDOWS\system32\svchost.exe [1224:1600] 00007ffda6f4a420 Thread C:\WINDOWS\system32\svchost.exe [1224:1608] 00007ffda6f483a0 Thread C:\WINDOWS\system32\svchost.exe [1224:1616] 00007ffda6f4b090 Thread C:\WINDOWS\system32\svchost.exe [1224:1620] 00007ffda6f4a9a0 Thread C:\WINDOWS\system32\svchost.exe [1224:1624] 00007ffda6f4a770 Thread C:\WINDOWS\system32\svchost.exe [1224:1892] 00007ffda3ce03d0 Thread C:\WINDOWS\system32\svchost.exe [1224:1896] 00007ffda3cdfa20 Thread C:\WINDOWS\system32\svchost.exe [1224:2292] 00007ffda6f48b00 Thread C:\WINDOWS\system32\svchost.exe [1224:4236] 00007ffda5b92a20 Thread C:\WINDOWS\system32\svchost.exe [1224:1920] 00007ffda5b92610 Thread C:\WINDOWS\system32\svchost.exe [1064:1804] 00007ffda227e830 Thread C:\WINDOWS\system32\svchost.exe [1064:1868] 00007ffda22110a0 Thread [2088:2100] 00007ffdaefd3db0 Thread [2088:2112] 00007ffdaf3a2dc0 Thread [2088:2116] 00007ffdaf3a2dc0 Thread [2088:6072] 00007ffda1265bc0 Thread [2088:548] 00007ffd9e932740 Thread [2088:2264] 00007ffda8be1180 Thread [2088:7156] 00007ffda2798e40 Thread [2088:6388] 00007ffdaf3a2dc0 Thread [2088:6824] 00007ffdaf3a2dc0 Thread C:\WINDOWS\system32\svchost.exe [2316:2420] 00007ffda1265bc0 Thread C:\WINDOWS\system32\svchost.exe [2316:2424] 00007ffda1277d70 Thread C:\WINDOWS\system32\svchost.exe [2316:3808] 00007ffd988db180 Thread C:\WINDOWS\system32\svchost.exe [2316:3812] 00007ffd988df5f0 Thread [2444:2976] 00007ffdaefd3db0 Thread C:\WINDOWS\system32\svchost.exe [2452:2672] 00007ffda04258c0 Thread C:\WINDOWS\system32\svchost.exe [2452:3192] 00007ffda04258c0 Thread C:\WINDOWS\system32\svchost.exe [2696:3212] 00007ffda04f16b0 Thread C:\WINDOWS\system32\svchost.exe [2696:3216] 00007ffda04f16b0 Thread C:\WINDOWS\system32\svchost.exe [2696:3220] 00007ffda04f16b0 Thread C:\WINDOWS\system32\svchost.exe [2696:3224] 00007ffda04f16b0 Thread C:\WINDOWS\system32\svchost.exe [2696:3316] 00007ffda04258c0 Thread C:\WINDOWS\system32\mqsvc.exe [2704:3708] 00007ffd998579e0 Thread [2716:2356] 0000000074647ea0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:2772] 0000000030560d88 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3960] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3964] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3968] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3972] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3976] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3980] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3984] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3988] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3992] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:4000] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3748] 00000000711552e0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3420] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:2692] 000000005003bf18 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2768:3744] 000000005003bf18 Thread C:\WINDOWS\system32\svchost.exe [2876:3484] 00007ffda1265bc0 Thread C:\WINDOWS\system32\svchost.exe [2876:3492] 00007ffd9e932740 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2952:2312] 0000000000c8437b Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2952:3472] 0000000000c83960 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3500:3548] 00007ffd9df0d840 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3500:3552] 00007ffd9de20250 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3500:3876] 00007ffd98871b50 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [3500:3952] 00007ffd9de20250 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4024:4048] 00007ffd9df0d840 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4024:4052] 00007ffd9de20250 Thread C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [4024:4084] 00007ffd98871b50 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4380:4492] 00007ffd96ee7944 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4380:4500] 00007ffd96dabeb4 Thread C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [4380:4772] 00007ffd96dabeb4 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1397267254 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xF6 0x42 0xA1 0x46 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xF6 0xAA 0x65 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xF6 0xDA 0xDC 0xE4 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.PL]Harry+Potter+i+Więzień+Azkabanu+GTX+Box+Team+Dubbing+PL Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.PL]Harry+Potter+i+Więzień+Azkabanu+GTX+Box+Team+Dubbing+PL@MRUListEx 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.PL]Harry+Potter+i+Więzień+Azkabanu+GTX+Box+Team+Dubbing+PL@0 0x6D 0x00 0x61 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x6A 0x93 0xCF 0x04 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0626BA69-FBC4-4F1D-BFE7-64C82049FB63}@LastAccessedTime 0xC0 0x6E 0xA3 0xA7 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0626BA69-FBC4-4F1D-BFE7-64C82049FB63}@LaunchCount 15 ---- EOF - GMER 2.2 ----