GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-05 10:44:26 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000061 INTEL_SS rev.4PC1 111,79GB Running: be7e730y.exe; Driver: C:\Users\Artur\AppData\Local\Temp\pwldqpoc.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1579 82E4AF15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E85232 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Bitdefender\Bitdefender 2016\vsserv.exe[856] kernel32.dll!UnhandledExceptionFilter 769C0851 5 Bytes JMP 011F07D0 .text C:\Program Files\Bitdefender Agent\ProductAgentService.exe[2392] kernel32.dll!UnhandledExceptionFilter 769C0851 5 Bytes JMP 011207D0 .text C:\Program Files\Bitdefender\Bitdefender 2016\updatesrv.exe[2476] kernel32.dll!UnhandledExceptionFilter 769C0851 5 Bytes JMP 010907D0 .text C:\Program Files\Bitdefender\Bitdefender 2016\bdagent.exe[5248] kernel32.dll!UnhandledExceptionFilter 769C0851 5 Bytes JMP 00C607D0 ---- Devices - GMER 2.2 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AE9B67D4-DA7D-453D-A329-EE2D71F16B29}@LeaseObtainedTime 1462437402 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AE9B67D4-DA7D-453D-A329-EE2D71F16B29}@T1 1462437432 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AE9B67D4-DA7D-453D-A329-EE2D71F16B29}@T2 1462437454 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AE9B67D4-DA7D-453D-A329-EE2D71F16B29}@LeaseTerminatesTime 1462437462 Reg HKLM\SYSTEM\ControlSet002\Control@PreshutdownOrder wuauserv?gpsvc?trustedinstaller? Reg HKLM\SYSTEM\ControlSet002\Control@WaitToKillServiceTimeout 12000 Reg HKLM\SYSTEM\ControlSet002\Control@CurrentUser USERNAME Reg HKLM\SYSTEM\ControlSet002\Control@BootDriverFlags 0 Reg HKLM\SYSTEM\ControlSet002\Control@ServiceControlManagerExtension %systemroot%\system32\scext.dll Reg HKLM\SYSTEM\ControlSet002\Control@SystemStartOptions NOEXECUTE=OPTIN Reg HKLM\SYSTEM\ControlSet002\Control@SystemBootDevice multi(0)disk(0)rdisk(0)partition(2) Reg HKLM\SYSTEM\ControlSet002\Control@FirmwareBootDevice multi(0)disk(0)rdisk(0)partition(1) Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0DBDD6825536F824B85D28C20F6860CE\Usage@WinMailFeat 1218773522 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\7971f918-a847-4430-9279-4a52d1efe18d Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\7971f918-a847-4430-9279-4a52d1efe18d@CurrentCacheFile C:\Windows\SoftwareDistribution\EventCache\{F017D562-DABB-4E33-9EB2-F9D1DEC429D2}.bin Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\7971f918-a847-4430-9279-4a52d1efe18d@FlushCacheFiles Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@33DAEFBC 815 Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 617 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\618 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\618@CrawlType 2 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\618@InProgress 1 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\618@DoneAddingCrawlSeeds 0 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\618@IsCatalogLevel 0 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\618@LogStartAddId 3 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\3@CrawlNumberInProgress 618 ---- EOF - GMER 2.2 ----