GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-20 19:49:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\0000006e CT250BX1 rev.MU02 232,89GB Running: gmer.exe; Driver: D:\Temp\Temp\pgloqpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002db7000 8 bytes [00, 00, 10, 02, 4E, 74, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff80002db7010 29 bytes [45, 07, E8, 00, 00, 00, 00, ...] .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880057c3c34 12 bytes {MOV RAX, 0xfffffa80105132a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3464] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076ca87b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff88001076650] \SystemRoot\System32\Drivers\spuh.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010765dc] \SystemRoot\System32\Drivers\spuh.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800104135c] \SystemRoot\System32\Drivers\spuh.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001041224] \SystemRoot\System32\Drivers\spuh.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001041a24] \SystemRoot\System32\Drivers\spuh.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001041ba0] \SystemRoot\System32\Drivers\spuh.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa800d4302c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80102b32c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa800d42c2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800ff8a2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80102b32c0 Device \Driver\iaStorA \Device\0000006c fffffa800d42c2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80102b32c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa800d4242c0 Device \Driver\volmgr \Device\FtControl fffffa800d4242c0 Device \Driver\volmgr \Device\VolMgrControl fffffa800d4242c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa800d4242c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa800d4242c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa800d4242c0 Device \Driver\volmgr \Device\HarddiskVolume5 fffffa800d4242c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{549C02C8-33EF-4B56-8493-E98E625DCAA8} fffffa800ff402c0 Device \Driver\volmgr \Device\HarddiskVolume6 fffffa800d4242c0 Device \Driver\iaStorA \Device\0000006d fffffa800d42c2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800ff402c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa800d42c2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80102b32c0 Device \Driver\iaStorA \Device\0000006e fffffa800d42c2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys >>UNKNOWN [0xfffffa800d42c2c0]<< spuh.sys storport.sys hal.dll iaStorA.sys fffffa800d42c2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa800fdd7060] fffffa800fdd7060 Trace 3 CLASSPNP.SYS[fffff8800214e43f] -> nt!IofCallDriver -> [0xfffffa800fb5c860] fffffa800fb5c860 Trace 5 iaStorF.sys[fffff880020eaa88] -> nt!IofCallDriver -> \Device\0000006e[0xfffffa800d6539c0] fffffa800d6539c0 Trace \Driver\iaStorA[0xfffffa800d5af260] -> IRP_MJ_CREATE -> 0xfffffa800d42c2c0 fffffa800d42c2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x36 0xD1 0x66 0x49 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0E 0xFE 0x95 0x25 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB8 0x64 0xCD 0xBE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xC7 0x55 0x77 0x1F ... ---- EOF - GMER 2.1 ----