GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-11 15:30:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD103UJ rev.1AA01118 931,51GB Running: hpyjs171.exe; Driver: C:\Users\Patryk\AppData\Local\Temp\kfxdipog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077e41465 2 bytes [E4, 77] .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077e414bb 2 bytes [E4, 77] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 17.0.0\avp.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e8fa98 5 bytes JMP 00000000716d2f40 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 17.0.0\avp.exe[1968] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e90028 5 bytes JMP 00000000716d2f00 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 17.0.0\avp.exe[1968] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize + 779 000000007702b9f8 4 bytes [40, 54, 6D, 71] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 17.0.0\avp.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077e41465 2 bytes [E4, 77] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 17.0.0\avp.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077e414bb 2 bytes [E4, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077e41465 2 bytes [E4, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[3960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077e414bb 2 bytes [E4, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077e41465 2 bytes [E4, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077e414bb 2 bytes [E4, 77] .text ... * 2 .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 424 0000000077c91398 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000077c9143f 8 bytes [50, 0E, EE, 7E, 00, 00, 00, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077c91594 8 bytes [40, 0E, EE, 7E, 00, 00, 00, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000077c9191e 8 bytes [30, 0E, EE, 7E, 00, 00, 00, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077c91bf8 8 bytes [20, 0E, EE, 7E, 00, 00, 00, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077c91d75 8 bytes [10, 0E, EE, 7E, 00, 00, 00, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077c91edf 8 bytes [00, 0E, EE, 7E, 00, 00, 00, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077c91fc5 8 bytes [F0, 0D, EE, 7E, 00, 00, 00, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000077c927b0 8 bytes [E0, 0D, EE, 7E, 00, 00, 00, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077ce13e0 8 bytes {JMP QWORD [RIP-0x4f7ee]} .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077ce1560 8 bytes {JMP QWORD [RIP-0x4f7f1]} .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077ce1590 8 bytes {JMP QWORD [RIP-0x50157]} .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ce16b0 8 bytes {JMP QWORD [RIP-0x4fd98]} .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ce1760 8 bytes {JMP QWORD [RIP-0x501d2]} .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ce1d90 8 bytes {JMP QWORD [RIP-0x4f5e6]} .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077ce1fe0 8 bytes {JMP QWORD [RIP-0x50021]} .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ce2840 8 bytes {JMP QWORD [RIP-0x50967]} .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000736c13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 00000000736c146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000736c16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000736c19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000736c19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Patryk\Downloads\hpyjs171.exe[4592] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 00000000736c1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004585948] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3816] @ C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[KERNEL32.dll!LoadLibraryW] [7fef0fb106c] C:\Windows\KMS-R@1nHook.dll IAT C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3816] @ C:\Windows\system32\ADVAPI32.dll[RPCRT4.dll!RpcStringBindingComposeW] [7fef0fb1000] C:\Windows\KMS-R@1nHook.dll IAT C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3816] @ c:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL[RPCRT4.dll!RpcStringBindingComposeW] [7fef0fb1000] C:\Windows\KMS-R@1nHook.dll ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2076:5248] 000007fefbed2ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2076:5280] 000007feea20d618 Thread C:\Windows\System32\svchost.exe [6756:7568] 000007fef1539688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD1 0x07 0x75 0x44 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x21 0x29 0x36 0xE8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x47 0xA3 0xDC 0x62 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD1 0x07 0x75 0x44 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x21 0x29 0x36 0xE8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x47 0xA3 0xDC 0x62 ... ---- EOF - GMER 2.2 ----