GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-30 13:05:22 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\0000006d ST1000DM rev.CC4B 931,51GB Running: gbywyu4c.exe; Driver: C:\Users\MarcinJ\AppData\Local\Temp\kwdyikod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x927E2320] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x927E23E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x927E23A0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x927E2360] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwCreateKey [0x8300CFEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8300CFEC] ZwCreateKey [0x8300CFEC] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwOpenKey [0x8300CFF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8300CFF1] ZwOpenKey [0x8300CFF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 8300CFF6 INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys 8200316D INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys 82002FC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1495 830499E5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83083312 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 8308A644 3 Bytes [EC, CF, 00] .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 8308A688 4 Bytes [20, 23, 7E, 92] {AND [EBX], AH; JLE 0xffffff96} .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 8308A798 4 Bytes [E0, 23, 7E, 92] {LOOPNZ 0x25; JLE 0xffffff96} .text ntkrnlpa.exe!KeRemoveQueueEx + 137F 8308A804 3 Bytes [F1, CF, 00] .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 8308AAA4 4 Bytes [A0, 23, 7E, 92] .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9B02F000, 0x174C8A, 0xE8000020] .text C:\Windows\system32\drivers\aksfridge.sys section is writeable [0x924BF000, 0x49C57, 0xE0000020] .init C:\Windows\system32\drivers\aksfridge.sys entry point in ".init" section [0x92516224] .init C:\Windows\system32\drivers\aksfridge.sys unknown last code section [0x92516000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9251A400, 0x6EED8, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x925A5020] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x925A5020] .protect˙˙˙˙hardlockunknown last code section [0x925A4E00, 0x50BA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x925A4E00, 0x50BA, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[980] ntdll.dll!NtCreateFile 776E5608 5 Bytes JMP 663DB886 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] ntdll.dll!NtFlushBuffersFile 776E5998 5 Bytes JMP 663DB644 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] ntdll.dll!NtQueryFullAttributesFile 776E6028 5 Bytes JMP 663DB779 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] ntdll.dll!NtReadFile 776E62F8 5 Bytes JMP 663DB67E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] ntdll.dll!NtReadFileScatter 776E6308 5 Bytes JMP 6673E1E8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] ntdll.dll!NtWriteFile 776E6AA8 5 Bytes JMP 663DBA2A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] ntdll.dll!NtWriteFileGather 776E6AB8 5 Bytes JMP 6673E238 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] ntdll.dll!LdrLoadDll 777022AE 5 Bytes JMP 71FFA961 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76E894E6 7 Bytes JMP 6672695A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!QueryPerformanceCounter + 13 76E8C4E5 7 Bytes JMP 6672749B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!LoadAppInitDlls + 355 76E8F5A6 7 Bytes JMP 664A1FAE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] USER32.dll!GetWindowInfo 77444B5E 5 Bytes JMP 67254F1B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[980] GDI32.dll!GetViewportOrgEx + 26C 761A884B 7 Bytes JMP 6672612E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1860] kernel32.dll!SetUnhandledExceptionFilter 76E8F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\CCleaner\CCleaner.exe[4092] USER32.dll!SetScrollRange 77438EC5 5 Bytes JMP 003EA104 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4092] USER32.dll!GetScrollInfo 77442DA3 5 Bytes JMP 003EA097 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4092] USER32.dll!SetScrollInfo 774448DA 5 Bytes JMP 003EA13B C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4092] USER32.dll!GetScrollRange 7746045A 5 Bytes JMP 003EA03A C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4092] USER32.dll!SetScrollPos 774604BE 5 Bytes JMP 003EA015 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4092] USER32.dll!GetScrollPos 77460E43 5 Bytes JMP 003EA072 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4092] USER32.dll!EnableScrollBar 774619CE 5 Bytes JMP 003EA16F C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[4092] USER32.dll!ShowScrollBar 77463C89 5 Bytes JMP 003EA0CA C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[4444] kernel32.dll!SetUnhandledExceptionFilter 76E8F5AB 5 Bytes JMP 557E3843 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[4444] ole32.dll!OleLoadFromStream 772D6143 5 Bytes JMP 5647DE54 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73FC249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73FA5652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73FA5710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73FC251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73FB857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73FB4D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73FB50D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73FB51AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73FB66DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73FB82D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73FB8824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73FB9085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73FBE228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73FB4C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp networx.sys Device \Driver\partmgr \Device\PartmgrControl aksfridge.sys AttachedDevice \Driver\tdx \Device\Udp networx.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 3905 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 1672 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x08 0xD2 0xAE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x08 0xD2 0xAE ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG18.00.00.01PROFESSIONAL B13214FA4EF4C17D68F14DA1453AACC7AC6978ADA60028B5D56170F4B626143DC83A5AC7DA7892D01139B135D1878DE63A6B37573C0DFE9387109DBEF3E78CB36E1912DD3798F6A8E93A8C8D9E6353A09B83FB22686C9975BA96B18A8B750211D2DD2D842722ADEBD9E1AB5DB74B28178CA290489BEAAFD59D8616BB758F56C93A5CD368C8E2E629D8E71439FBBEA98FD9FDF6E69CDA6DD4F3B6E6197977E1F47DABDE1B08AE4791F5417B1B1F44EA75668EE28182FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407A9C6AECB7A5D1407A2D97226D213B555A6171C11EC38DE3D58954CA77AE87C3926A7ED0AB8642A7AF21CCAD281DF0BD766F76941242EE159E71797CC290B026FEDA7F67AAA059B7D6DFA9898CB2C22B1C99D26B6AC9DBBAA60C59DFB01CFC8F41B0E9A41ACBEEF4F1708318AEEDBC4455F0F583E23D3F918AE7D67BB932422F348A319B94EFC027E5D18AEF69C7778A885CF953B7D9AE85B428F2226B2AD426D97A55A51E5E091703376D1C14CBCA3459F581525F069B8828E429DE57944C234AD47E50A8BBF3F5E0C627CE1B71D12581315318AF7F0FD728B4D50BFC1F0A270B22FEB7A9DA09255E2903661DC3FF2F3CBE46C89559231DF345FD386AB75429E52F43DCC3CC0F535B5A5A861FD7B5AFEB89CE Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@6CCCF8AF 483 ---- EOF - GMER 2.1 ----