GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-31 17:46:29 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SanDisk_SDSSDP128G rev.3.2.0 117,38GB Running: gmer.exe; Driver: C:\Users\K\AppData\Local\Temp\axloyuog.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1579 83248F15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83283232 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? System32\Drivers\sphn.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.2 ---- .text C:\Windows\Explorer.EXE[3068] WS2_32.dll!closesocket 76163918 5 Bytes JMP 04BFBF50 .text C:\Windows\Explorer.EXE[3068] WS2_32.dll!WSASend 76164406 5 Bytes JMP 04BFC700 .text C:\Windows\Explorer.EXE[3068] WS2_32.dll!send 76166C19 5 Bytes JMP 04BFC6D0 .text C:\Windows\system32\svchost.exe[3740] svchost.exe 00372104 10 Bytes [68, 08, 00, 00, 00, E8, 52, ...] {PUSH DWORD 0x8; CALL 0xffd02f5c} .text C:\Windows\system32\svchost.exe[3740] ws2_32.dll!getaddrinfo 76164296 5 Bytes JMP 0007AA90 .text C:\Windows\system32\svchost.exe[3740] ws2_32.dll!GetAddrInfoW 76164889 5 Bytes JMP 0007A590 .text C:\Windows\system32\svchost.exe[3740] ws2_32.dll!connect 761668F5 5 Bytes JMP 0007A2D0 .text C:\Windows\system32\svchost.exe[3740] ws2_32.dll!GetAddrInfoExW 7616A6DB 5 Bytes JMP 0007A700 .text C:\Windows\system32\svchost.exe[3740] ws2_32.dll!WSAConnect 7616BCD5 5 Bytes JMP 0007A540 .text C:\Windows\system32\svchost.exe[3740] ws2_32.dll!WSAAsyncGetHostByName 76177312 5 Bytes JMP 0007ABF0 .text C:\Windows\system32\svchost.exe[3740] ws2_32.dll!gethostbyname 7617771B 5 Bytes JMP 0007AB70 ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs 85F601F8 Device \Driver\volmgr \Device\VolMgrControl 85A7E1F8 Device \Driver\usbohci \Device\USBPDO-0 8649B500 Device \Driver\NetBT \Device\NetBT_Tcpip_{DCE51B4A-F2B1-4F8A-8EB8-9DA7C52DA807} 863031F8 Device \Driver\usbohci \Device\USBPDO-1 8649B500 Device \Driver\usbehci \Device\USBPDO-2 86375500 Device \Driver\usbohci \Device\USBPDO-3 8649B500 Device \Driver\usbohci \Device\USBPDO-4 8649B500 Device \Driver\usbehci \Device\USBPDO-5 86375500 Device \Driver\PCI_PNP4120 \Device\00000057 sphn.sys Device \Driver\usbohci \Device\USBPDO-6 8649B500 Device \Driver\volmgr \Device\HarddiskVolume1 85A7E1F8 Device \Driver\volmgr \Device\HarddiskVolume2 85A7E1F8 Device \Driver\cdrom \Device\CdRom0 862431F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85A801F8 Device \Driver\atapi \Device\Ide\IdePort0 85A801F8 Device \Driver\atapi \Device\Ide\IdePort1 85A801F8 Device \Driver\atapi \Device\Ide\IdePort2 85A801F8 Device \Driver\atapi \Device\Ide\IdePort3 85A801F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 85A801F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 85A801F8 Device \Driver\cdrom \Device\CdRom1 862431F8 Device \Driver\volmgr \Device\HarddiskVolume3 85A7E1F8 Device \Driver\sptd \Device\3568308123 sphn.sys Device \Driver\USBSTOR \Device\00000080 871C71F8 Device \Driver\volmgr \Device\HarddiskVolume4 85A7E1F8 Device \Driver\volmgr \Device\HarddiskVolume5 85A7E1F8 Device \Driver\volmgr \Device\HarddiskVolume6 85A7E1F8 Device \Driver\volmgr \Device\HarddiskVolume7 85A7E1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 863031F8 Device \Driver\USBSTOR \Device\00000089 871C71F8 Device \Driver\usbohci \Device\USBFDO-0 8649B500 Device \Driver\usbohci \Device\USBFDO-1 8649B500 Device \Driver\usbehci \Device\USBFDO-2 86375500 Device \Driver\usbohci \Device\USBFDO-3 8649B500 Device \Driver\usbohci \Device\USBFDO-4 8649B500 Device \Driver\USBSTOR \Device\0000008a 871C71F8 Device \Driver\usbehci \Device\USBFDO-5 86375500 Device \Driver\USBSTOR \Device\0000007e 871C71F8 Device \Driver\usbohci \Device\USBFDO-6 8649B500 Device \Driver\ag5rzaff \Device\Scsi\ag5rzaff1 864F61F8 Device \Driver\ag5rzaff \Device\Scsi\ag5rzaff1Port4Path0Target0Lun0 864F61F8 ---- Trace I/O - GMER 2.2 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85a801f8]<< 85a801f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8610a7c8] 8610a7c8 Trace 3 CLASSPNP.SYS[8c41a59e] -> nt!IofCallDriver -> [0x85fe2898] 85fe2898 Trace 5 ACPI.sys[8bd633d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85ab1908] 85ab1908 Trace \Driver\atapi[0x8600aaa0] -> IRP_MJ_CREATE -> 0x85a801f8 85a801f8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015830cbfeb Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015830cbfeb@00ba55565741 0x59 0x94 0x49 0x36 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEA 0x14 0x70 0x11 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x70 0xE5 0x80 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x66 0x44 0xB0 0x16 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015830cbfeb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015830cbfeb@00ba55565741 0x59 0x94 0x49 0x36 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEA 0x14 0x70 0x11 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x70 0xE5 0x80 0x5B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x66 0x44 0xB0 0x16 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@D5C1AA4B 372 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{8A61F255-BBB7-11E5-B7E1-806E6F6E6963} 3666399936 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----