GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-08 16:11:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_SP1614N rev.TM100-31 149,05GB Running: xz0ufrpx.exe; Driver: C:\Users\Lucynka\AppData\Local\Temp\pxddypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x89615F80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x89616040] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x89616000] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x89615FC0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRenameKey + 1579 8307FF55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830BA262 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 830C1798 4 Bytes [80, 5F, 61, 89] {SBB BYTE [EDI+0x61], 0x89} .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 830C18A8 4 Bytes [40, 60, 61, 89] .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 830C1BB4 4 Bytes [00, 60, 61, 89] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 830C1BFC 4 Bytes [C0, 5F, 61, 89] {RCR BYTE [EDI+0x61], 0x89} .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x88F23B2E] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1984] kernel32.dll!SetUnhandledExceptionFilter 75C6F5FB 4 Bytes [C2, 04, 00, 00] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 852691E8 Device \Driver\usbuhci \Device\USBPDO-0 865731E8 Device \Driver\usbuhci \Device\USBPDO-1 865731E8 Device \Driver\usbuhci \Device\USBPDO-2 865731E8 Device \Driver\usbehci \Device\USBPDO-3 86547430 Device \Driver\usbuhci \Device\USBPDO-4 865731E8 Device \Driver\usbuhci \Device\USBPDO-5 865731E8 Device \Driver\USBSTOR \Device\00000070 861B31E8 Device \Driver\usbuhci \Device\USBPDO-6 865731E8 Device \Driver\usbehci \Device\USBPDO-7 86547430 Device \Driver\USBSTOR \Device\00000071 861B31E8 Device \Driver\cdrom \Device\CdRom0 861A51E8 Device \Driver\USBSTOR \Device\00000072 861B31E8 Device \Driver\cdrom \Device\CdRom1 861A51E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 852671E8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 852671E8 Device \Driver\atapi \Device\Ide\IdePort0 852671E8 Device \Driver\atapi \Device\Ide\IdePort1 852671E8 Device \Driver\atapi \Device\Ide\IdePort2 852671E8 Device \Driver\atapi \Device\Ide\IdePort3 852671E8 Device \Driver\atapi \Device\Ide\IdePort4 852671E8 Device \Driver\atapi \Device\Ide\IdePort5 852671E8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-4 852671E8 Device \Driver\USBSTOR \Device\00000073 861B31E8 Device \Driver\cdrom \Device\CdRom2 861A51E8 Device \Driver\USBSTOR \Device\00000074 861B31E8 Device \Driver\USBSTOR \Device\00000075 861B31E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8630B1E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{B1987047-645E-4EBB-92A6-9DA975292029} 8630B1E8 Device \Driver\usbuhci \Device\USBFDO-0 865731E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{9CBFA8C0-8970-4163-9D98-61E0A2821FB8} 8630B1E8 Device \Driver\USBSTOR \Device\0000006d 861B31E8 Device \Driver\usbuhci \Device\USBFDO-1 865731E8 Device \Driver\USBSTOR \Device\0000006e 861B31E8 Device \Driver\usbuhci \Device\USBFDO-2 865731E8 Device \Driver\USBSTOR \Device\0000006f 861B31E8 Device \Driver\usbehci \Device\USBFDO-3 86547430 Device \Driver\usbuhci \Device\USBFDO-4 865731E8 Device \Driver\usbuhci \Device\USBFDO-5 865731E8 Device \Driver\usbuhci \Device\USBFDO-6 865731E8 Device \Driver\usbehci \Device\USBFDO-7 86547430 Device \FileSystem\cdfs \Cdfs 871A91E8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x852671e8]<< 852671e8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x860bf548] 860bf548 Trace 3 CLASSPNP.SYS[896b259e] -> nt!IofCallDriver -> [0x85fbe5e8] 85fbe5e8 Trace 5 ACPI.sys[88f503d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85fbb908] 85fbb908 Trace \Driver\atapi[0x852d8360] -> IRP_MJ_CREATE -> 0x852671e8 852671e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4F 0xFB 0x34 0xF6 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4F 0xFB 0x34 0xF6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@EC048896 1236 ---- EOF - GMER 2.1 ----