GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-05 21:04:32 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD2500AAJS-22B4A0 rev.01.03A01 232,89GB Running: 6d94hmg3.exe; Driver: C:\Users\CZOWIE~1\AppData\Local\Temp\pgddapoc.sys ---- System - GMER 2.2 ---- SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwCreateFile [0x8FCB5792] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwCreateKey [0x8FCB6276] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwDeleteFile [0x8FCB5710] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwDeleteValueKey [0x8FCB6692] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwOpenFile [0x8FCB588A] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwOpenKey [0x8FCB646E] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwOpenKeyEx [0x8FCB63AE] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwOpenProcess [0x8FCB6B50] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwQueryDirectoryFile [0x8FCB5B74] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwSetInformationFile [0x8FCB5482] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwSetValueKey [0x8FCB6516] SSDT \??\C:\Windows\system32\Drivers\bsdp32.sys ZwTerminateProcess [0x8FCB6C2C] INT 0x04 \SystemRoot\System32\drivers\MPCBase.sys 8AD3BC42 ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 12FD 82A3E859 2 Bytes [CD, 04] {INT 0x4} .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1499 82A3E9F5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A78992 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 82A7FC94 4 Bytes [92, 57, CB, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 82A7FCA4 4 Bytes [76, 62, CB, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 123F 82A7FD24 4 Bytes [10, 57, CB, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 124F 82A7FD34 4 Bytes [92, 66, CB, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 1373 82A7FE58 4 Bytes [8A, 58, CB, 8F] .text ... ---- User code sections - GMER 2.2 ---- .text C:\Windows\Explorer.EXE[2812] kernel32.dll!CreateProcessInternalW 754F08A2 5 Bytes JMP 72B11AC3 C:\Program Files\MPC Cleaner\SafeNavi.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x76 0x65 0xC7 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x76 0x65 0xC7 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS@StateIndex 1 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\winsxs\x86_netfx-clrgc_b03f5f7f11d50a3a_6.1.7601.17514_none_f5276fe6b5adf276\clrgc.exe 0xD2 0x38 0xCA 0x5C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\rundll32.exe 0xA7 0x64 0x01 0x64 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 0xB7 0xB7 0x4F 0xBC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume5\updates\DirectX\DXSETUP.exe 0x19 0x55 0x6C 0x16 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x83 0x49 0x2C 0x1C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume4\Program Files\SteamLibrary\SteamApps\common\Heroes & Generals\_CommonRedist\DirectX\Jun2010\DXSETUP.exe 0x0A 0x7C 0xF1 0x59 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\sdiagnhost.exe 0x16 0xBD 0xCB 0x31 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0xA5 0xFE 0x07 0x37 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\CdRom1\dx9\DXSETUP.exe 0x8E 0x76 0xD4 0xF2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume4\Program Files\SteamLibrary\SteamApps\common\Counter-Strike Global Offensive\directx_installer\dxsetup.exe 0x5C 0x55 0x3A 0x34 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0xB5 0xB4 0x38 0x62 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\Windows Live\Mail\wlmail.exe 0x4D 0x7C 0x7C 0xD5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\Windows Live\Writer\WindowsLiveWriter.exe 0x21 0xE5 0x49 0x02 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe 0x1A 0xF2 0xFA 0x92 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume4\Program Files\SpringPublisher\SpringPublisher.exe 0x3F 0x12 0x73 0x9E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume4\Program Files\DocuFreezer\WordHelper.exe 0x8B 0x14 0xB2 0x09 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Users\CZOWIE~1\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe 0x26 0xE8 0x0B 0xF9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\mmc.exe 0xC2 0x05 0xA4 0x01 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Users\CZOWIE~1\AppData\Local\Temp\is-Q3QUD.tmp\setup.exe 0x03 0x00 0x2D 0x91 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe 0xA2 0x63 0x8A 0x91 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Temp\25C6.tmp 0x78 0xBB 0x54 0x92 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Users\Człowiek11\AppData\Local\Apps\2.0\abril.exe 0x45 0xFE 0x93 0x95 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Users\CZOWIE~1\AppData\Local\Temp\nsv5698.tmp\easyhotspot-installer 0x27 0x76 0xB7 0x9A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\msiexec.exe 0x57 0x0D 0x24 0x8C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0x95 0x74 0x78 0x41 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x4B 0x66 0xC6 0x84 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\CZOWIE~1\AppData\Local\Temp\9C3682A6-33D7-11E5-8FFF-001C25897BA5\TEST_WPF.EXE 0x83 0x48 0x94 0x5E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.2\avpui.exe 0x5C 0x5A 0xAF 0x6C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\GFExperience.exe 0xCD 0xDD 0x0A 0x42 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\rundll32.exe 0xF9 0x8B 0x9E 0xB4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume4\Program Files\PES6JLauncher\PES6JLauncher.exe 0x57 0x3C 0x82 0x7D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\CZOWIE~1\AppData\Local\Temp\73B6B813-8657-11E5-A3DB-001C25897BA5\TEST_WPF.EXE 0x8E 0xA0 0xE3 0x37 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\avpui.exe 0x81 0x33 0x6E 0xD7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume4\Program Files\Easy Flyer Creator 4.1\eFlyers.exe 0xB7 0xC0 0xC0 0xFD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\Człowiek11\Desktop\ToSrtConverter 2.1.0 x86\ToSrtConverter 2.1.0 x86\ZNetCS.ToSrtConverter.exe 0x79 0x2E 0x05 0xF2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\Program Files\SteamLibrary\steamapps\common\Pro Evolution Soccer 2016 myClub\Settings.exe 0xEE 0xF2 0x34 0xA5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\Człowiek11\Desktop\Programy\ToSrtConverter 2.1.0 x86\ToSrtConverter 2.1.0 x86\ZNetCS.ToSrtConverter.exe 0x60 0x8C 0xD9 0xBC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\Człowiek11\Desktop\Programy\ToSrtConverter 2.1.0 x86\ToSrtConverter 2.1.0 x86\ZNetCS.ToSrtConverter.Console.exe 0x4C 0x6F 0x64 0xF9 ... ---- EOF - GMER 2.2 ----