GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-31 14:09:43 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000033 ST1000LM014-SSHD-8GB rev.LVD4 931,51GB Running: ns8yuh0x.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\pwrdypow.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\Explorer.EXE[4724] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffe1f96b0a0 5 bytes JMP 00007ffe073126d4 .text C:\Program Files\CCleaner\CCleaner64.exe[6692] C:\WINDOWS\system32\USER32.dll!ShowScrollBar 00007ffe21e61150 5 bytes JMP 00007ffda1e90018 .text C:\Program Files\CCleaner\CCleaner64.exe[6692] C:\WINDOWS\system32\USER32.dll!SetScrollInfo 00007ffe21e68430 5 bytes JMP 00007ffda1e80018 .text C:\Program Files\CCleaner\CCleaner64.exe[6692] C:\WINDOWS\system32\USER32.dll!SetScrollRange 00007ffe21e81100 5 bytes JMP 00007ffda1ed0018 .text C:\Program Files\CCleaner\CCleaner64.exe[6692] C:\WINDOWS\system32\USER32.dll!GetScrollInfo 00007ffe21e854a0 5 bytes JMP 00007ffda1ea0018 .text C:\Program Files\CCleaner\CCleaner64.exe[6692] C:\WINDOWS\system32\USER32.dll!SetScrollPos 00007ffe21e96260 5 bytes JMP 00007ffda1f10018 .text C:\Program Files\CCleaner\CCleaner64.exe[6692] C:\WINDOWS\system32\USER32.dll!GetScrollPos 00007ffe21e97120 1 byte JMP 00007ffda1ec0018 .text C:\Program Files\CCleaner\CCleaner64.exe[6692] C:\WINDOWS\system32\USER32.dll!GetScrollPos + 2 00007ffe21e97122 3 bytes {JMP 0xffffffff80028ef8} .text C:\Program Files\CCleaner\CCleaner64.exe[6692] C:\WINDOWS\system32\USER32.dll!EnableScrollBar 00007ffe21e986f0 5 bytes JMP 00007ffda1eb0018 .text C:\Program Files\CCleaner\CCleaner64.exe[6692] C:\WINDOWS\system32\USER32.dll!GetScrollRange 00007ffe21eeec70 5 bytes JMP 00007ffda1f00018 .text C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizer.exe[6292] C:\WINDOWS\system32\KERNELBASE.dll!RegQueryValueExW 00007ffe1f953fd0 5 bytes JMP 00007ffdbda80200 .text C:\Program Files\Lenovo\OneKey Optimizer\bin\OneKeyOptimizer.exe[6292] C:\WINDOWS\SYSTEM32\mshtml.dll!RunHTMLApplication 00007ffdfda934e0 7 bytes JMP 00007ffdbda80198 ---- Devices - GMER 2.2 ---- Device \Driver\axscsidrv \Device\Scsi\axscsidrv1Port1Path0Target0Lun0 ffffe0001150f2c0 Device \Driver\axscsidrv \Device\Scsi\axscsidrv1 ffffe0001150f2c0 Device \Driver\iaStorA \Device\RaidPort0 ffffe0000cff82c0 Device \Driver\cdrom \Device\CdRom0 ffffe00010bfa2c0 Device \Driver\cdrom \Device\CdRom1 ffffe00010bfa2c0 Device \Driver\ssudmdm \Device\ssudmdm0000 fffff800195d27a0 Device \Driver\dg_ssudbus \Device\0000006b fffff80019441960 Device \Driver\iaStorA \Device\00000033 ffffe0000cff82c0 Device \Driver\iaStorA \Device\ScsiPort0 ffffe0000cff82c0 Device \Driver\axscsidrv \Device\ScsiPort1 ffffe0001150f2c0 Device \Driver\iaStorA \Device\00000034 ffffe0000cff82c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xffffe0000cff82c0]<< sptd.sys storport.sys hal.dll iaStorA.sys ffffe0000cff82c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe0001089b060] ffffe0001089b060 Trace 3 CLASSPNP.SYS[fffff8000ecdcf40] -> nt!IofCallDriver -> [0xffffe0000d9d9960] ffffe0000d9d9960 Trace 5 ACPI.sys[fffff8000da79c21] -> nt!IofCallDriver -> \Device\00000033[0xffffe0000d9fd060] ffffe0000d9fd060 Trace \Driver\iaStorA[0xffffe0000d9ca520] -> IRP_MJ_CREATE -> 0xffffe0000cff82c0 ffffe0000cff82c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [684:712] fffff960008872d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -622211737 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\34e6ada7e0bc Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\34e6ada7e0bc@00023c48cdae 0xC2 0xC2 0xA8 0x18 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3195 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 855 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x00 0x9D 0x00 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x86 0x88 0x1C 0xBA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xD9 0x7B 0xAC 0x13 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{150C086D-8B79-42CA-BA1B-C8A311E9B6BC}@LeaseObtainedTime 1459422065 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{150C086D-8B79-42CA-BA1B-C8A311E9B6BC}@T1 1459423865 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{150C086D-8B79-42CA-BA1B-C8A311E9B6BC}@T2 1459425215 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{150C086D-8B79-42CA-BA1B-C8A311E9B6BC}@LeaseTerminatesTime 1459425665 Reg HKLM\SYSTEM\CurrentControlSet\Services\WinUsb\Parameters\Wdf@TimeOfLastSqmLog 0xCC 0x60 0x2C 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters\Wdf@TimeOfLastSqmLog 0xA0 0x3C 0xC0 0x98 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GWX\Usage@UsageTime 0xEF 0xEC 0x04 0x01 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x3B 0xE6 0x80 0x4C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x3B 0xE6 0x80 0x4C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x3B 0xE6 0x80 0x4C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x3B 0xE6 0x80 0x4C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63595015761233%3bID%3d893480060C7ECB03!102%3bLR%3d63595019597310%3bEP%3d5%3bSI%3d0%3bTD%3dTrue%3bSO%3d0 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----