GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-15 20:20:56 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD103SJ rev.1AJ10001 931,51GB Running: 89o2oiur.exe; Driver: C:\Users\Mario\AppData\Local\Temp\pwddikob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007732de70 6 bytes [48, B8, F0, 12, 92, 01] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 000000007732de78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[800] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007725b851 11 bytes [B8, F0, 12, B4, 01, 00, 00, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075931401 2 bytes JMP 76e5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075931419 2 bytes JMP 76e5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075931431 2 bytes JMP 76ed8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007593144a 2 bytes CALL 76e3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759314dd 2 bytes JMP 76ed8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759314f5 2 bytes JMP 76ed89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007593150d 2 bytes JMP 76ed8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075931525 2 bytes JMP 76ed8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007593153d 2 bytes JMP 76e4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075931555 2 bytes JMP 76e568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007593156d 2 bytes JMP 76ed8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075931585 2 bytes JMP 76ed8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007593159d 2 bytes JMP 76ed86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759315b5 2 bytes JMP 76e4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759315cd 2 bytes JMP 76e5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759316b2 2 bytes JMP 76ed8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759316bd 2 bytes JMP 76ed8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007732de70 6 bytes [48, B8, F0, 12, 46, 02] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 000000007732de78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[2388] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007725b851 11 bytes [B8, F0, 12, 65, 02, 00, 00, ...] .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000774dfcfc 5 bytes JMP 00000001009b07d0 .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\kernel32.dll!UnhandledExceptionFilter 0000000076e576f7 5 bytes JMP 0000000100ce07d0 .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075931401 2 bytes JMP 76e5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075931419 2 bytes JMP 76e5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075931431 2 bytes JMP 76ed8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007593144a 2 bytes CALL 76e3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759314dd 2 bytes JMP 76ed8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759314f5 2 bytes JMP 76ed89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007593150d 2 bytes JMP 76ed8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075931525 2 bytes JMP 76ed8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007593153d 2 bytes JMP 76e4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075931555 2 bytes JMP 76e568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007593156d 2 bytes JMP 76ed8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075931585 2 bytes JMP 76ed8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007593159d 2 bytes JMP 76ed86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759315b5 2 bytes JMP 76e4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759315cd 2 bytes JMP 76e5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759316b2 2 bytes JMP 76ed8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\bdwtxapps.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759316bd 2 bytes JMP 76ed8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075931401 2 bytes JMP 76e5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075931419 2 bytes JMP 76e5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075931431 2 bytes JMP 76ed8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007593144a 2 bytes CALL 76e3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759314dd 2 bytes JMP 76ed8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759314f5 2 bytes JMP 76ed89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007593150d 2 bytes JMP 76ed8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075931525 2 bytes JMP 76ed8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007593153d 2 bytes JMP 76e4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075931555 2 bytes JMP 76e568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007593156d 2 bytes JMP 76ed8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075931585 2 bytes JMP 76ed8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007593159d 2 bytes JMP 76ed86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759315b5 2 bytes JMP 76e4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759315cd 2 bytes JMP 76e5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759316b2 2 bytes JMP 76ed8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759316bd 2 bytes JMP 76ed8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007732de70 5 bytes [48, B8, F0, 12, 88] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 000000007732de78 4 bytes [00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2212] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1 000000007725b851 11 bytes [B8, F0, 12, 6F, 01, 00, 00, ...] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075931401 2 bytes JMP 76e5b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075931419 2 bytes JMP 76e5b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075931431 2 bytes JMP 76ed8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007593144a 2 bytes CALL 76e3489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759314dd 2 bytes JMP 76ed8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759314f5 2 bytes JMP 76ed89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007593150d 2 bytes JMP 76ed8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075931525 2 bytes JMP 76ed8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007593153d 2 bytes JMP 76e4fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075931555 2 bytes JMP 76e568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007593156d 2 bytes JMP 76ed8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075931585 2 bytes JMP 76ed8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007593159d 2 bytes JMP 76ed86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759315b5 2 bytes JMP 76e4fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759315cd 2 bytes JMP 76e5b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759316b2 2 bytes JMP 76ed8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759316bd 2 bytes JMP 76ed8671 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Library \\?\C:\Program Files\Common Files\Bitdefender\Bitdefender Threat Scanner\trufos.dll (*** suspicious ***) @ C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe [800] (FILE NOT FOUND) 000007fefb500000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 36574 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 24297 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1AE05527-20B7-ED01-29CF-4845DE7FFAB9} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1AE05527-20B7-ED01-29CF-4845DE7FFAB9}@japdcblbalhcbgihddbj 0x62 0x61 0x6A 0x68 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1AE05527-20B7-ED01-29CF-4845DE7FFAB9}@japdcblbalhcbgihddni 0x62 0x61 0x6A 0x68 ... ---- Files - GMER 2.1 ---- File C:\Users\Mario\AppData\Local\Temp\WER69AE.tmp.resp.erc.xml 0 bytes File C:\Windows\Temp\~bd7A53.tmp 0 bytes ---- EOF - GMER 2.1 ----