GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-07-05 19:05:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006b Hitachi_ rev.PC3O 298,09GB Running: xe2bk3br.exe; Driver: C:\Users\admin\AppData\Local\Temp\pxldakoc.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000165c00 7 bytes [C0, 4B, F3, FF, 01, 55, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000165c08 3 bytes [C0, 06, 02] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010dce94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010dcc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010dd654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010dda50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010dd8ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs fffffa8002e0e2c0 Device \FileSystem\fastfat \Fat fffffa8002b862c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa8003bbe2c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa8003bd32c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa8003bbe2c0 Device \Driver\amd_sata \Device\RaidPort0 fffffa8002e082c0 Device \Driver\cdrom \Device\CdRom0 fffffa80036692c0 Device \Driver\amd_sata \Device\0000006b fffffa8002e082c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa8003bbe2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8003bbe2c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa8003bd32c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A022C0B8-67B1-496C-8D30-EA5C1A70A46A} fffffa8003a4a2c0 Device \Driver\amd_sata \Device\0000006c fffffa8002e082c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A30359B6-F0C2-4351-80C9-A2B0746BF713} fffffa8003a4a2c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa8003bd32c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa8003bbe2c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa8003bbe2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8003a4a2c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8003bd32c0 Device \Driver\amd_sata \Device\ScsiPort0 fffffa8002e082c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa8003bbe2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{0A6F6C4D-74A9-421C-A7F8-3846B8CF6A1F} fffffa8003a4a2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8003bbe2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys >>UNKNOWN [0xfffffa8002e0a2c0]<< sptd.sys amd_xata.sys storport.sys hal.dll amd_sata.sys fffffa8002e0a2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003658060] fffffa8003658060 Trace 3 CLASSPNP.SYS[fffff880013b643f] -> nt!IofCallDriver -> [0xfffffa8003657210] fffffa8003657210 Trace 5 hpdskflt.sys[fffff88001676379] -> nt!IofCallDriver -> [0xfffffa800352eac0] fffffa800352eac0 Trace \Driver\amd_xata[0xfffffa8002ef4410] -> IRP_MJ_CREATE -> 0xfffffa8002e0a2c0 fffffa8002e0a2c0 Trace 7 amd_xata.sys[fffff88000e81d00] -> nt!IofCallDriver -> \Device\0000006b[0xfffffa8002efc470] fffffa8002efc470 Trace \Driver\amd_sata[0xfffffa8002ef4060] -> IRP_MJ_CREATE -> 0xfffffa8002e082c0 fffffa8002e082c0 ---- Threads - GMER 2.2 ---- Thread System [4:6064] fffffa800401fcd8 Thread System [4:6068] fffffa8003fdda1c Thread System [4:6072] fffffa8003fe6c84 Thread System [4:6076] fffffa8003fe5580 Thread System [4:6084] fffffa8003fdf1a4 Thread C:\Windows\System32\svchost.exe [928:3440] 000007fef7a0a2b0 Thread C:\Windows\System32\svchost.exe [928:2568] 000007fefbc189a8 Thread C:\Windows\System32\svchost.exe [928:4664] 000007fef47844d0 Thread C:\Windows\system32\svchost.exe [252:2772] 000007fefa89506c Thread C:\Windows\system32\svchost.exe [252:2752] 000007fef7f11c20 Thread C:\Windows\system32\svchost.exe [252:2632] 000007fef7f11c20 Thread C:\Windows\system32\svchost.exe [252:544] 000007fef8deab8c Thread C:\Windows\system32\svchost.exe [252:5976] 000007fef90c5124 Thread C:\Windows\system32\svchost.exe [252:4248] 000007fef441a574 Thread C:\Windows\system32\svchost.exe [252:4960] 000007fefabf4164 Thread C:\Windows\system32\svchost.exe [252:3960] 000007fefac11ab0 Thread C:\ProgramData\DatacardService\HWDeviceService64.exe [1472:1508] 000007fefd3fa808 Thread C:\Windows\system32\taskhost.exe [1824:1948] 000007fef82b1f38 Thread C:\Windows\system32\taskhost.exe [1824:1952] 000007fefaf81010 Thread C:\Windows\system32\taskhost.exe [1824:3236] 000007fef8015170 Thread C:\Windows\Explorer.EXE [1980:5480] 0000000004c8449c Thread C:\Windows\Explorer.EXE [1980:4428] 000000000ec44840 Thread C:\Windows\Explorer.EXE [1980:4456] 000000000ed0dbb4 Thread C:\Windows\Explorer.EXE [1980:2744] 000000000ed0dbb4 Thread C:\Windows\Explorer.EXE [1980:5572] 000000000ed0dbb4 Thread C:\Windows\Explorer.EXE [1980:5568] 000000000ed0dbb4 Thread C:\Windows\system32\taskhost.exe [5092:3372] 000007fef925ee1c Thread C:\Windows\system32\rundll32.exe [5688:3572] 000007fefc79d500 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1980] 000007fefac30000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ ---- Files - GMER 2.2 ---- ADS C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys 50888 bytes executable <-- ROOTKIT !!! ADS C:\Program Files (x86)\UCBrowser\Security:x64 749456 bytes executable ADS C:\Program Files (x86)\UCBrowser\Security:x86 611728 bytes executable ---- Services - GMER 2.2 ---- Service C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [SYSTEM] ucdrv <-- ROOTKIT !!! ---- EOF - GMER 2.2 ----