GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-13 23:14:32 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000063 ST925041 rev.D005 232,89GB Running: n6fl9zqn.exe; Driver: C:\Users\Julia\AppData\Local\Temp\fxldapog.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x91FC1610] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x91FC1670] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x91FC1650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x91FC1630] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 82A8AF05 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AC5292 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82ACC7C8 4 Bytes [10, 16, FC, 91] {ADC [ESI], DL; CLD ; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 82ACC8D8 4 Bytes [70, 16, FC, 91] {JO 0x18; CLD ; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 82ACCBE4 4 Bytes [50, 16, FC, 91] {PUSH EAX; PUSH SS; CLD ; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 82ACCC2C 4 Bytes [30, 16, FC, 91] {XOR [ESI], DL; CLD ; XCHG ECX, EAX} ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[752] kernel32.dll!SetUnhandledExceptionFilter 76FDF71B 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\CCleaner\CCleaner.exe[2924] USER32.dll!SetScrollRange 75B38E8B 5 Bytes JMP 00566826 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2924] USER32.dll!GetScrollInfo 75B42D73 5 Bytes JMP 00566945 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2924] USER32.dll!SetScrollInfo 75B448AA 5 Bytes JMP 0056689D C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2924] USER32.dll!GetScrollRange 75B6042A 5 Bytes JMP 005668D7 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2924] USER32.dll!SetScrollPos 75B6048E 5 Bytes JMP 00566863 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2924] USER32.dll!GetScrollPos 75B60E13 5 Bytes JMP 00566911 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2924] USER32.dll!EnableScrollBar 75B6199E 5 Bytes JMP 0056697C C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2924] USER32.dll!ShowScrollBar 75B63C59 5 Bytes JMP 005667EF C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\Internet Explorer\iexplore.exe[3680] shell32.DLL!RealDriveType + 173D 7612FCA0 4 Bytes [80, C0, 9A, 72] .text C:\Program Files\Internet Explorer\iexplore.exe[3680] shell32.DLL!RealDriveType + 1745 7612FCA8 8 Bytes [10, 12, 9A, 72, 50, C1, 9A, ...] ---- Devices - GMER 2.2 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{54E30913-BF06-4BD2-870A-1FE7E18369F7}\Connection@Name isatap.{26D5F144-CA54-4426-A7A2-F0379FD7C4D7} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{5EDF1EC2-BB6D-41C4-A36A-BF36B1A6481B}\Connection@Name isatap.{722DCF7F-2190-4DAA-801F-DECFDCF0EF93} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{7892CADD-B989-4DBA-BF95-2FF9294B4B93}?\Device\{C665F3F2-FF0F-4FFF-84BE-19571E73D189}?\Device\{54E30913-BF06-4BD2-870A-1FE7E18369F7}?\Device\{5EDF1EC2-BB6D-41C4-A36A-BF36B1A6481B}?\Device\{70E371D0-3FDB-47F7-8EFF-823EC0A49135}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{7892CADD-B989-4DBA-BF95-2FF9294B4B93}"?"{C665F3F2-FF0F-4FFF-84BE-19571E73D189}"?"{54E30913-BF06-4BD2-870A-1FE7E18369F7}"?"{5EDF1EC2-BB6D-41C4-A36A-BF36B1A6481B}"?"{70E371D0-3FDB-47F7-8EFF-823EC0A49135}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{7892CADD-B989-4DBA-BF95-2FF9294B4B93}?\Device\TCPIP6TUNNEL_{C665F3F2-FF0F-4FFF-84BE-19571E73D189}?\Device\TCPIP6TUNNEL_{54E30913-BF06-4BD2-870A-1FE7E18369F7}?\Device\TCPIP6TUNNEL_{5EDF1EC2-BB6D-41C4-A36A-BF36B1A6481B}?\Device\TCPIP6TUNNEL_{70E371D0-3FDB-47F7-8EFF-823EC0A49135}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{54E30913-BF06-4BD2-870A-1FE7E18369F7}@InterfaceName isatap.{26D5F144-CA54-4426-A7A2-F0379FD7C4D7} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{54E30913-BF06-4BD2-870A-1FE7E18369F7}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{5EDF1EC2-BB6D-41C4-A36A-BF36B1A6481B}@InterfaceName isatap.{722DCF7F-2190-4DAA-801F-DECFDCF0EF93} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{5EDF1EC2-BB6D-41C4-A36A-BF36B1A6481B}@ReusableType 0 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@2A3F2344 62 ---- EOF - GMER 2.2 ----