GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-16 01:57:45 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\00000028 TOSHIBA_MK3263GSXN rev.GC002M 298,09GB Running: 8gpdmmze.exe; Driver: C:\Users\katar\AppData\Local\Temp\pxldapod.sys ---- System - GMER 2.2 ---- SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwWriteVirtualMemory [0x8C1FCD82] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwTerminateThread [0x8C1F1023] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwTerminateProcess [0x8C1F1000] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSystemDebugControl [0x8C1FA4EC] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwShutdownSystem [0x8C1FA8B6] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSetSystemInformation [0x8C1FBC4C] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSetInformationFile [0x8C1FB002] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSetContextThread [0x8C1FA47A] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSetBootOptions [0x8C1FA9A0] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSecureConnectPort [0x8C1FC204] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwRestoreKey [0x8C1FA9D6] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwRequestWaitReplyPort [0x8C1FD156] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwReplaceKey [0x8C1FAA8C] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwQueueApcThread [0x8C1FA416] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwProtectVirtualMemory [0x8C1FB9BC] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwOpenThread [0x8C1FC00E] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwOpenSection [0x8C1FB81A] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwOpenProcess [0x8C1FCE98] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwModifyBootEntry [0x8C1FA934] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwMapViewOfSection [0x8C1FCB2C] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwLoadDriver [0x8C1FCCC8] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwImpersonateThread [0x8C1FAEC2] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwImpersonateClientOfPort [0x8C1FAF04] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwFsControlFile [0x8C1FAF3E] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwDuplicateObject [0x8C1FA5BC] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwDeviceIoControlFile [0x8C1FA358] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwDeleteFile [0x8C1FAF9E] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwDeleteBootEntry [0x8C1FA96A] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwCreateThreadEx [0x8C1FB1D8] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwCreateThread [0x8C1FB8DE] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwCreateSection [0x8C1FBD74] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwConnectPort [0x8C1FC11A] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwAlpcSendWaitReceivePort [0x8C1FD28A] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwAlpcConnectPort [0x8C1FADC6] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwAlpcConnectPortEx [0x8C1FB5F0] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwAddBootEntry [0x8C1FA8FE] ---- Kernel code sections - GMER 2.2 ---- .text ntoskrnl.exe!ExfUnblockPushLock + 1547 819388AD 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 622 8193D052 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .vmp1 C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys entry point in ".vmp1" section [0x8C30FC09] .ewrere1˙˙˙˙Spysheltentry point in ".ewrere1˙˙˙˙Spysheltentry point in "" section [0x8D05C80F] C:\Program Files\SpyShelter Free Anti-keylogger\SpyshelterKb.sys entry point in ".ewrere1˙˙˙˙Spysheltentry point in "" section [0x8D05C80F] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\NoVirusThanks\EXE Radar Pro\ERPSvc.exe[1620] ntdll.dll!DbgBreakPoint 77111250 1 Byte [C3] .text C:\Windows\System32\RuntimeBroker.exe[1796] ntdll.dll!LdrLoadDll 770CE230 8 Bytes [B8, 42, 84, 61, 03, 50, C3, ...] {MOV EAX, 0x3618442; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] ntdll.dll!LdrUnloadDll 770D3FB0 8 Bytes [B8, 0D, 77, 61, 03, 50, C3, ...] {MOV EAX, 0x361770d; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!CreateWindowInBandEx + 3E0 74B4BFB0 11 Bytes [B8, 81, 5D, 61, 03, 50, C3, ...] {MOV EAX, 0x3615d81; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!SetWindowLongA 74B54CA0 8 Bytes [B8, B7, 18, 61, 03, 50, C3, ...] {MOV EAX, 0x36118b7; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!SetWindowLongW 74B54CC0 8 Bytes [B8, DD, 18, 61, 03, 50, C3, ...] {MOV EAX, 0x36118dd; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!PeekMessageA 74B5D5A0 8 Bytes [B8, D5, 1D, 61, 03, 50, C3, ...] {MOV EAX, 0x3611dd5; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!PeekMessageW 74B5D700 8 Bytes [B8, 20, 1E, 61, 03, 50, C3, ...] {MOV EAX, 0x3611e20; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!CallNextHookEx 74B613A0 8 Bytes [B8, 3C, 79, 61, 03, 50, C3, ...] {MOV EAX, 0x361793c; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!SystemParametersInfoW + 480 74B62AF0 8 Bytes [B8, B6, 5B, 61, 03, 50, C3, ...] {MOV EAX, 0x3615bb6; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!GetKeyState 74B65170 11 Bytes [B8, EE, 77, 61, 03, 50, C3, ...] {MOV EAX, 0x36177ee; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!GetAsyncKeyState 74B65B10 11 Bytes [B8, 41, 77, 61, 03, 50, C3, ...] {MOV EAX, 0x3617741; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!GetMessageW 74B65EB0 8 Bytes [B8, 8D, 1D, 61, 03, 50, C3, ...] {MOV EAX, 0x3611d8d; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!GetMessageA 74B66ED0 9 Bytes [B8, 45, 1D, 61, 03, 50, C3, ...] {MOV EAX, 0x3611d45; PUSH EAX; RET ; NOP ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!GetCursorPos + 20 74B68A40 8 Bytes [B8, 04, 59, 61, 03, 50, C3, ...] {MOV EAX, 0x3615904; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!GetCursorPos + 80 74B68AA0 8 Bytes [B8, DA, 73, 61, 03, 50, C3, ...] {MOV EAX, 0x36173da; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!GetRawInputData + 1 74B792E1 9 Bytes [FD, 55, 61, 03, 50, C3, 90, ...] {STD ; PUSH EBP; POPA ; ADD EDX, [EAX-0x3d]; NOP ; NOP ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!GetKeyboardState + 1 74B79481 9 Bytes [9B, 78, 61, 03, 50, C3, 90, ...] {WAIT ; JS 0x64; ADD EDX, [EAX-0x3d]; NOP ; NOP ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!EndTask 74BA2F90 8 Bytes [B8, 4F, 19, 61, 03, 50, C3, ...] {MOV EAX, 0x361194f; PUSH EAX; RET ; NOP } .text C:\Windows\System32\RuntimeBroker.exe[1796] USER32.dll!GetRawInputBuffer 74BABF60 11 Bytes [B8, 9A, 56, 61, 03, 50, C3, ...] {MOV EAX, 0x361569a; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] ntdll.dll!LdrLoadDll 770CE230 8 Bytes [B8, 42, 84, 01, 01, 50, C3, ...] {MOV EAX, 0x1018442; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] ntdll.dll!LdrUnloadDll 770D3FB0 8 Bytes [B8, 0D, 77, 01, 01, 50, C3, ...] {MOV EAX, 0x101770d; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!CreateWindowInBandEx + 3E0 74B4BFB0 11 Bytes [B8, 81, 5D, 01, 01, 50, C3, ...] {MOV EAX, 0x1015d81; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!SetWindowLongA 74B54CA0 8 Bytes [B8, B7, 18, 01, 01, 50, C3, ...] {MOV EAX, 0x10118b7; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!SetWindowLongW 74B54CC0 8 Bytes [B8, DD, 18, 01, 01, 50, C3, ...] {MOV EAX, 0x10118dd; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!PeekMessageA 74B5D5A0 8 Bytes [B8, D5, 1D, 01, 01, 50, C3, ...] {MOV EAX, 0x1011dd5; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!PeekMessageW 74B5D700 8 Bytes [B8, 20, 1E, 01, 01, 50, C3, ...] {MOV EAX, 0x1011e20; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!CallNextHookEx 74B613A0 8 Bytes [B8, 3C, 79, 01, 01, 50, C3, ...] {MOV EAX, 0x101793c; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!SystemParametersInfoW + 480 74B62AF0 8 Bytes [B8, B6, 5B, 01, 01, 50, C3, ...] {MOV EAX, 0x1015bb6; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!GetKeyState 74B65170 11 Bytes [B8, EE, 77, 01, 01, 50, C3, ...] {MOV EAX, 0x10177ee; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!GetAsyncKeyState 74B65B10 11 Bytes [B8, 41, 77, 01, 01, 50, C3, ...] {MOV EAX, 0x1017741; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!GetMessageW 74B65EB0 8 Bytes [B8, 8D, 1D, 01, 01, 50, C3, ...] {MOV EAX, 0x1011d8d; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!GetMessageA 74B66ED0 9 Bytes [B8, 45, 1D, 01, 01, 50, C3, ...] {MOV EAX, 0x1011d45; PUSH EAX; RET ; NOP ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!GetCursorPos + 20 74B68A40 8 Bytes [B8, 04, 59, 01, 01, 50, C3, ...] {MOV EAX, 0x1015904; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!GetCursorPos + 80 74B68AA0 8 Bytes [B8, DA, 73, 01, 01, 50, C3, ...] {MOV EAX, 0x10173da; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!GetRawInputData + 1 74B792E1 9 Bytes [FD, 55, 01, 01, 50, C3, 90, ...] {STD ; PUSH EBP; ADD [ECX], EAX; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!GetKeyboardState + 1 74B79481 9 Bytes [9B, 78, 01, 01, 50, C3, 90, ...] {WAIT ; JS 0x4; ADD [EAX-0x3d], EDX; NOP ; NOP ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!EndTask 74BA2F90 8 Bytes [B8, 4F, 19, 01, 01, 50, C3, ...] {MOV EAX, 0x101194f; PUSH EAX; RET ; NOP } .text C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe[2928] USER32.dll!GetRawInputBuffer 74BABF60 11 Bytes [B8, 9A, 56, 01, 01, 50, C3, ...] {MOV EAX, 0x101569a; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe[2968] ntdll.dll!LdrLoadDll 770CE230 8 Bytes [B8, 42, 84, 77, 00, 50, C3, ...] {MOV EAX, 0x778442; PUSH EAX; RET ; NOP } .text C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe[2968] ntdll.dll!LdrUnloadDll 770D3FB0 8 Bytes [B8, 0D, 77, 77, 00, 50, C3, ...] {MOV EAX, 0x77770d; PUSH EAX; RET ; NOP } .text C:\Program Files\NoVirusThanks\EXE Radar Pro\EXERadar.exe[2968] ntdll.dll!DbgBreakPoint 77111250 1 Byte [C3]