GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-03 19:50:28 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002c ST1000DX001-1CM162 rev.CC43 931,51GB Running: n749q2pd.exe; Driver: C:\Windows\TEMP\ugldrpob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[876] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1 00007ffce32ed48d 5 bytes [B8, 30, 08, 0B, 02] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[876] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 7 00007ffce32ed493 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[876] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffce1a1169a 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[876] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffce1a116a2 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[876] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffce1a1181a 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[876] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffce1a11832 4 bytes [A1, E1, FC, 7F] .text C:\Windows\system32\atiesrxx.exe[1356] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffce1a1169a 4 bytes [A1, E1, FC, 7F] .text C:\Windows\system32\atiesrxx.exe[1356] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffce1a116a2 4 bytes [A1, E1, FC, 7F] .text C:\Windows\system32\atiesrxx.exe[1356] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffce1a1181a 4 bytes [A1, E1, FC, 7F] .text C:\Windows\system32\atiesrxx.exe[1356] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffce1a11832 4 bytes [A1, E1, FC, 7F] .text C:\Windows\system32\atieclxx.exe[1608] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffce1a1169a 4 bytes [A1, E1, FC, 7F] .text C:\Windows\system32\atieclxx.exe[1608] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffce1a116a2 4 bytes [A1, E1, FC, 7F] .text C:\Windows\system32\atieclxx.exe[1608] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffce1a1181a 4 bytes [A1, E1, FC, 7F] .text C:\Windows\system32\atieclxx.exe[1608] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffce1a11832 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1052] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffcd7a61f6a 4 bytes [A6, D7, FC, 7F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1052] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffcd7a61f82 4 bytes [A6, D7, FC, 7F] .text C:\Windows\Explorer.EXE[2168] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffce1190f90 5 bytes JMP 00007ffcd09c26d4 .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2884] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1 00007ffce32ed48d 5 bytes [B8, 30, 08, 88, 01] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2884] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 7 00007ffce32ed493 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2884] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffce1a1169a 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2884] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffce1a116a2 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2884] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffce1a1181a 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2884] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffce1a11832 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[3812] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1 00007ffce32ed48d 5 bytes [B8, 30, 08, 27, 02] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[3812] C:\Windows\system32\KERNEL32.DLL!UnhandledExceptionFilter + 7 00007ffce32ed493 5 bytes [00, 00, 00, 50, C3] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[3812] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffce1a1169a 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[3812] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffce1a116a2 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[3812] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffce1a1181a 4 bytes [A1, E1, FC, 7F] .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[3812] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffce1a11832 4 bytes [A1, E1, FC, 7F] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [592:628] fffff960008adb90 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x6C 0x8D 0xA3 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x6C 0x8D 0xA3 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x6A 0x9D 0xCE 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x42 0x78 0xC7 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@de-DE 323 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\ACR03E1T0EEE0058582_28_07DF_C1^D367E67B72EC7C532A173E78698CDDDC@Timestamp 0x0B 0x72 0x4A 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Windows\SysNative\drivers\MPCKpt.sys??\??\C:\Users\Expert\AppData\Roaming\MCorp??\??\C:\Program Files (x86)\MPC Cleaner??? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900318 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1371433441 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 335 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 485549733 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 8390 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 8306 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 27f39f5e-8b2d-4687-b248-15254d1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RAC_PS@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 5 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{ee129b9a-3258-44b2-bb9f-11216c1c308f}@LastProbeTime 1475517451 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Mo?, ?Okt ?03 ?16, 05:58:47??????U???????U???????????????U???? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5694 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1317 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 327 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C58F7E1B-48EA-4162-ADF0-43C510F4BFE9}@LeaseObtainedTime 1475510222 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C58F7E1B-48EA-4162-ADF0-43C510F4BFE9}@T1 1475513822 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C58F7E1B-48EA-4162-ADF0-43C510F4BFE9}@T2 1475516522 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C58F7E1B-48EA-4162-ADF0-43C510F4BFE9}@LeaseTerminatesTime 1475517422 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 1224 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList@MRUList ba Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@Report C:\AdwCleaner\AdwCleaner[C3].txt Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@16 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MPC Desktop\MPC Desktop.lnk?C:\Program Files (x86)\MPC Cleaner\MPCDesktop.exe?? Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationColor -1411083158 Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationColorBalance 76 Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationAfterglow -1411083158 Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationBlurBalance 14 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Kernel_139_81a4511c1d7bc8b1ea81c86b983395e23dee14_00000000_cab_05ace39b ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----