GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-11 05:05:12 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 KINGSTON_SV300S37A120G rev.603ABBF0 111,79GB Running: p8ymrcql.exe; Driver: C:\Users\T500\AppData\Local\Temp\pxldapob.sys ---- Kernel code sections - GMER 2.2 ---- .text ntoskrnl.exe!ExfUnblockPushLock + 1547 819358DD 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 622 8193A082 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1436873348 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c607687a644 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\IBMPMSVC\Parameters\Notification@Type2 272 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1245 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 90 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{68b2a470-d014-46b9-bd7e-1ad538371fce}@LeaseObtainedTime 1468142368 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{68b2a470-d014-46b9-bd7e-1ad538371fce}@T1 1468185568 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{68b2a470-d014-46b9-bd7e-1ad538371fce}@T2 1468217968 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{68b2a470-d014-46b9-bd7e-1ad538371fce}@LeaseTerminatesTime 1468228768 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x35 0x8F 0xBD 0xD7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x35 0xF7 0x81 0x39 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x35 0x27 0xF9 0x75 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xAA 0xBF 0xE8 0x43 ... Reg HKLM\SOFTWARE\Microsoft\Windows\Configuration\CfgClient\ControlSet@LastPullTime 0xF2 0xAB 0xE2 0x7B ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LastHeartBeatTime 0x58 0xC9 0xCD 0x45 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests@LastNormalDownloadAttempt 0xF2 0xAB 0xE2 0x7B ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests@LastCriticalDownloadAttempt 0xAB 0xA4 0xA5 0x7B ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\cfc.flights@LastDownloadTime 0x14 0xA1 0x6E 0x25 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\cfc.flights@RefreshInterval 240 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\cfc.flights@ETag 240:AB99AD51::2EF0B83B47 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\telemetry.ASM-WindowsDefault@LastDownloadTime 0xAB 0xA4 0xA5 0x7B ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\utc.app@LastDownloadTime 0xAB 0xA4 0xA5 0x7B ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\WINDOWS.DIAGNOSTICS@LastDownloadTime 0xE4 0x1C 0xF5 0x62 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\WINDOWS.DIAGNOSTICS@RefreshInterval 45 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\WINDOWS.DIAGNOSTICS@ETag 33:66A2A386::2EF0B83DE9 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\WINDOWS.PERFTRACKESCALATIONS@LastDownloadTime 0x14 0xA1 0x6E 0x25 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\WINDOWS.PERFTRACKPOINTDATA@LastDownloadTime 0x14 0xA1 0x6E 0x25 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP@0 Software\Microsoft\Windows\CurrentVersion\Uninstall?Mozilla Thunderbird 45.2.0 (x86 pl)?C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP@1 Software\Microsoft\Windows\CurrentVersion\Uninstall?{25E80DAA-FD87-DCE5-202C-CC02F6673002}?MsiExec.exe /I{25E80DAA-FD87-DCE5-202C-CC02F6673002}? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP@2 Software\Microsoft\Windows\CurrentVersion\Uninstall?{3d9e0476-943f-4962-99dc-b9c937a43840}?"C:\ProgramData\Package Cache\{3d9e0476-943f-4962-99dc-b9c937a43840}\Avira.OE.Setup.Bundle.exe" /uninstall? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP@3 Software\Microsoft\Windows\CurrentVersion\Uninstall?{413fb852-4e7d-4e52-bcaa-6270ff9a9347}?"C:\ProgramData\Package Cache\{413fb852-4e7d-4e52-bcaa-6270ff9a9347}\novapdf.exe" /uninstall? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP@4 Software\Microsoft\Windows\CurrentVersion\Uninstall?{49965069-29AB-4793-8F8F-D5718407C161}?MsiExec.exe /X{49965069-29AB-4793-8F8F-D5718407C161}? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP@5 Software\Microsoft\Windows\CurrentVersion\Uninstall?{698F424B-3C26-4CFD-8879-481CAEC6C9EF}?MsiExec.exe /I{698F424B-3C26-4CFD-8879-481CAEC6C9EF}? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP@6 Software\Microsoft\Windows\CurrentVersion\Uninstall?{6E0351FF-6A71-45C5-A041-D4D9D8067EAF}?MsiExec.exe /I{6E0351FF-6A71-45C5-A041-D4D9D8067EAF}? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP@7 Software\Microsoft\Windows\CurrentVersion\Uninstall?{A0B71772-5AC4-47D5-A175-99238C057B37}?MsiExec.exe /X{A0B71772-5AC4-47D5-A175-99238C057B37}? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP@8 Software\Microsoft\Windows\CurrentVersion\Uninstall?{C1578C4F-5453-44FE-A172-01331906BF18}?MsiExec.exe /X{C1578C4F-5453-44FE-A172-01331906BF18}? Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@CA05F6BF 6 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1500825603-450778821-1061133333-1000@RefCount 10 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewClientID 306 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{5F3BBB90-9FE7-11E5-B450-806E6F6E6963} 1849948272 ---- EOF - GMER 2.2 ----