GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-11 14:17:44 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000063 INTEL_SS rev.4PC1 111,79GB Running: 36j6d8v6.exe; Driver: C:\Users\Artur\AppData\Local\Temp\pwldqpoc.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwAllocateVirtualMemory [0x8ED260BE] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwAlpcConnectPort [0x8ED29566] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwAlpcSendWaitReceivePort [0x8ED2909C] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwAssignProcessToJobObject [0x8ED26C88] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwClose [0x8ED29B8C] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwConnectPort [0x8ED28418] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwCreateFile [0x8ED2795C] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwCreateKey [0x8ED28B10] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwCreateProcess [0x8ED26EDE] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwCreateProcessEx [0x8ED26F94] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwCreateSection [0x8ED2727E] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwCreateThread [0x8ED25A2E] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwCreateThreadEx [0x8ED29DA8] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwDeviceIoControlFile [0x8ED28C80] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwDuplicateObject [0x8ED2D11A] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwFsControlFile [0x8ED28F38] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwLoadDriver [0x8ED26594] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwMakeTemporaryObject [0x8ED29934] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwOpenFile [0x8ED2774E] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwOpenProcess [0x8ED2CB72] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwOpenSection [0x8ED2704E] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwOpenThread [0x8ED2CE22] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwProtectVirtualMemory [0x8ED25F42] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwQueueApcThread [0x8ED26DB0] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwReplaceKey [0x8ED29782] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwRequestPort [0x8ED28586] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwRequestWaitReplyPort [0x8ED27F1A] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwRestoreKey [0x8ED2980C] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwSecureConnectPort [0x8ED289A0] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwSetContextThread [0x8ED25B9E] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwSetSecurityObject [0x8ED296DC] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwSetSystemInformation [0x8ED2678E] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwShutdownSystem [0x8ED2989E] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwSuspendProcess [0x8ED25E1A] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwSuspendThread [0x8ED25CF4] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwSystemDebugControl [0x8ED26BBA] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwTerminateProcess [0x8ED2CA6A] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwTerminateThread [0x8ED2D30C] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwUnloadDriver [0x8ED299CA] SSDT \??\C:\Program Files\Bitdefender\Bitdefender 2015\bdselfpr.sys ZwWriteVirtualMemory [0x8ED258B2] SYSENTER \SystemRoot\system32\DRIVERS\avc3.sys 890B3000 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestPort + 14AD 82C8ABB5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CC4B92 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82CCBFB8 4 Bytes [BE, 60, D2, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82CCBFC4 4 Bytes [66, 95, D2, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82CCC008 4 Bytes [9C, 90, D2, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CCC018 4 Bytes [88, 6C, D2, 8E] {MOV [EDX+EDX*8-0x72], CH} .text ntkrnlpa.exe!KeRemoveQueueEx + 116F 82CCC034 4 Bytes [8C, 9B, D2, 8E] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\spoolsv.exe[428] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\System32\spoolsv.exe[428] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\system32\svchost.exe[504] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\system32\svchost.exe[504] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[740] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[860] kernel32.dll!UnhandledExceptionFilter 75580781 5 Bytes JMP 013F07D0 .text C:\Windows\system32\SearchFilterHost.exe[1540] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\system32\svchost.exe[1628] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[1772] kernel32.dll!UnhandledExceptionFilter 75580781 5 Bytes JMP 008607D0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1792] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\system32\nvvsvc.exe[1812] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\system32\svchost.exe[1836] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\system32\svchost.exe[1836] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\System32\svchost.exe[2076] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\System32\svchost.exe[2076] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\system32\svchost.exe[2132] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\system32\svchost.exe[2132] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\System32\svchost.exe[2172] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\System32\svchost.exe[2172] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2336] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2336] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\System32\svchost.exe[2368] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\System32\svchost.exe[2368] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\ProgramData\f43a0a22-b5b9-43e4-9c6f-705bf4e40c7b\plugincontainer.exe[2396] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\system32\svchost.exe[2416] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\Common Files\f43a0a22-b5b9-43e4-9c6f-705bf4e40c7b\updater.exe[2444] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\system32\wbem\wmiprvse.exe[2492] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\system32\wbem\wmiprvse.exe[2492] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[2508] kernel32.dll!UnhandledExceptionFilter 75580781 5 Bytes JMP 013607D0 .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2548] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2684] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2788] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2788] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[3080] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3124] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe[3144] kernel32.dll!UnhandledExceptionFilter 75580781 5 Bytes JMP 021B07D0 .text C:\Windows\system32\svchost.exe[3384] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\system32\svchost.exe[3384] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3732] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3732] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\system32\taskhost.exe[3832] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4168] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4168] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\system32\SearchIndexer.exe[4272] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4364] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4364] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\System32\svchost.exe[4576] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\System32\svchost.exe[4576] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\ProgramData\f43a0a22-b5b9-43e4-9c6f-705bf4e40c7b\plugins\10\plugin.exe[4968] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\ProgramData\f43a0a22-b5b9-43e4-9c6f-705bf4e40c7b\plugins\2\plugin.exe[5064] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\ProgramData\f43a0a22-b5b9-43e4-9c6f-705bf4e40c7b\plugins\3\plugin.exe[5068] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\ProgramData\f43a0a22-b5b9-43e4-9c6f-705bf4e40c7b\plugins\5\plugin.exe[5144] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\system32\GWX\GWX.exe[5256] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\system32\sppsvc.exe[5292] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Windows\system32\sppsvc.exe[5292] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Users\Artur\Desktop\36j6d8v6.exe[5404] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } .text C:\Users\Artur\Desktop\36j6d8v6.exe[5404] ADVAPI32.dll!RegOpenKeyExA + DE 76C1494D 1 Byte [E9] .text C:\ProgramData\f43a0a22-b5b9-43e4-9c6f-705bf4e40c7b\plugins\3\plugin.exe[5432] WS2_32.dll!connect 75486BDD 1 Byte [E9] .text C:\Windows\system32\DllHost.exe[5876] ntdll.dll!NtLoadDriver + 8 76EE5BB8 2 Bytes [CE, FB] {INTO ; STI } ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@33DAEFBC 60 ---- EOF - GMER 2.1 ----