GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-20 17:54:22 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f Samsung_SSD_750_EVO_250GB rev.MAT01B6Q 232,89GB Running: gmer.exe; Driver: C:\Users\ROZZYJ~1\AppData\Local\Temp\kwddipow.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [1296] entry point in ".rdata" section 00000000717812d0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [1296] entry point in ".rdata" section 000000006f688fa0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [1764] entry point in ".rdata" section 000000006b0abb10 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2264] entry point in ".rdata" section 00000000717812d0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2312] entry point in ".rdata" section 00000000717812d0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2320] entry point in ".rdata" section 00000000717812d0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2352] entry point in ".rdata" section 00000000717812d0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [3268] entry point in ".rdata" section 000000006f688fa0 ? C:\Windows\SYSTEM32\iertutil.dll [3268] entry point in ".rdata" section 00000000717812d0 ? C:\WINDOWS\SYSTEM32\apphelp.dll [3268] entry point in ".rdata" section 000000006cf90380 ? C:\WINDOWS\system32\mssprxy.dll [3268] entry point in ".rdata" section 000000006cada4e0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [1884] entry point in ".rdata" section 000000006b0abb10 ? C:\WINDOWS\system32\apphelp.dll [7828] entry point in ".rdata" section 000000006cf90380 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!_initterm] [5] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!towlower] [5] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!realloc] [5] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!_vsnwprintf] [5] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!__CxxFrameHandler3] [93] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!_lock] [24] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!malloc] [392be56900000124] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!_unlock] [eb3a54a747534c2b] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!__dllonexit] [ea6da8ad] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!_onexit] [24] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[msvcrt.dll!memset] [2] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[combase.dll!NdrCStdStubBuffer2_Release] [1000008150] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[combase.dll!CStdStubBuffer_AddRef] [800000008] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[combase.dll!CStdStubBuffer_CountRefs] [200000000] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[combase.dll!CStdStubBuffer2_Disconnect] [10000000f0] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[combase.dll!CStdStubBuffer2_QueryInterface] [1c73009a43400d4b] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[combase.dll!CStdStubBuffer_Connect] [24] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[combase.dll!CStdStubBuffer_IsIIDSupported] [8ac882be00000124] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[combase.dll!CStdStubBuffer_QueryInterface] [43ad839b4fc7eddb] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[combase.dll!CStdStubBuffer_Disconnect] [1020] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[combase.dll!CStdStubBuffer2_Connect] [2000020334] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[RPCRT4.dll!NdrOleAllocate] [1a04f9e9b692b14] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[RPCRT4.dll!IUnknown_AddRef_Proxy] [10115ac0b3786312] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[RPCRT4.dll!NdrStubCall3] [ffec] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[RPCRT4.dll!IUnknown_Release_Proxy] [0] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[ntdll.dll!RtlIpv4StringToAddressExW] [1000080143] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[ntdll.dll!RtlIpv6StringToAddressExW] [800000000] IAT C:\WINDOWS\system32\svchost.exe[716] @ C:\Windows\System32\Windows.Networking.HostName.dll[ntdll.dll!RtlIpv6AddressToStringExW] [100000000] IAT C:\WINDOWS\Explorer.EXE[4372] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!ExtTextOutW] [7ffd735c1330] C:\WINDOWS\System32\painter_x64.dll ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [728:780] fffff96030714030 ---- Services - GMER 2.2 ---- Service C:\Users\RozzyJames\AppData\Local\Apps\2.0\abril.exe (*** hidden *** ) [AUTO] ProntSpooler <-- ROOTKIT !!! Service C:\Program Files (x86)\SPnP3\SPnP3.exe (*** hidden *** ) [DISABLED] SPnP3 <-- ROOTKIT !!! Service C:\Program Files (x86)\SPnP4\SPnP4.exe (*** hidden *** ) [DISABLED] SPnP4 <-- ROOTKIT !!! Service C:\Program Files (x86)\SPnP5\SPnP5.exe (*** hidden *** ) [DISABLED] SPnP5 <-- ROOTKIT !!! Service C:\Program Files (x86)\SPnP6\SPnP6.exe (*** hidden *** ) [DISABLED] SPnP6 <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x7B 0xB2 0xEE 0xA5 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x2E 0x41 0x68 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x7B 0xB2 0xEE 0xA5 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x2E 0x41 0x68 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 65 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SAM07C00_2E_07DA_5E^AB8BDAA73E864BA9FE1D6C774B1996B0@Timestamp 0xD5 0x90 0x1A 0xA6 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 868 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{15958794-0C77-4744-AF3C-76621EDC9607}\Connection@Name Reusable ISATAP Interface {15958794-0C77-4744-AF3C-76621EDC9607} Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute autocheck autochk *?aswBoot.exe /M:3658b2cb /wow /dir:"X:\AVAST Software\Avast"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@4bdc8060 WK=BW!0(5(I9YUuiaugk"BojctYPhbwYPhbw7YPhbw77,c?c(d7;`71dg34037bb0;`1c`31b`b75e54;(22;33(;3333331(V~tsckYGruuchsGihsuijVcsYVcuqoect(Phbw77( I9YUuiaugk"BojctYPhbwYPhbw7YPhbw77,c?c "d7;`71dg34037bb0;`1c`31b`b75e54;((0d`(4{{G9YRohbiptYV~tsck01Yeih`oaYV\VQAI((((3(3(DWB((? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3595926 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1482948379 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 70 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 484451280 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 5836 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 5509 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 818d1ee3-60a6-4eed-b08d-953ecf4 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\147438522106203@ Package Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\147438522273404@ Package Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\147438522296805@ Package Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\147438522332807@ Package Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\147438522356208@ Package Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\147438522484309@ Package Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{e8c89c35-1b33-492e-beff-b0327f87f33d}@LastProbeTime 1474392514 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{15958794-0C77-4744-AF3C-76621EDC9607}@InterfaceName Reusable ISATAP Interface {15958794-0C77-4744-AF3C-76621EDC9607} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{15958794-0C77-4744-AF3C-76621EDC9607}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ProntSpooler Reg HKLM\SYSTEM\CurrentControlSet\Services\ProntSpooler@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\ProntSpooler@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\ProntSpooler@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ProntSpooler@ImagePath "C:\Users\RozzyJames\AppData\Local\Apps\2.0\abril.exe" Reg HKLM\SYSTEM\CurrentControlSet\Services\ProntSpooler@DisplayName Pront Spooler Reg HKLM\SYSTEM\CurrentControlSet\Services\ProntSpooler@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ProntSpooler@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\ProntSpooler@Description This service provides support form reading mass-storage devices using Peer Name Resolution to query performance counter of system-level reports. If this service os disabled, any services that explicitly depend on it will fail to start. Reg HKLM\SYSTEM\CurrentControlSet\Services\ProntSpooler Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1789 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 421 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3@Type 272 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3@ImagePath "C:\Program Files (x86)\SPnP3\SPnP3.exe" c54102ea829e4d458c86147e71427a8f Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3@DisplayName SPnP3 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3@FailureActions 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3@Description Allows SPnP devices to be hosted on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP3 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4@Type 272 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4@ImagePath "C:\Program Files (x86)\SPnP4\SPnP4.exe" 420f678469254505a655a4b567f7c9a0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4@DisplayName SPnP4 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4@FailureActions 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4@Description Allows SPnP devices to be hosted on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP4 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5@Type 272 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5@ImagePath "C:\Program Files (x86)\SPnP5\SPnP5.exe" ae2ce54ab1294744903dca4a5f8539bf Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5@DisplayName SPnP5 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5@FailureActions 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5@Description Allows SPnP devices to be hosted on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP5 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6@Type 272 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6@ImagePath "C:\Program Files (x86)\SPnP6\SPnP6.exe" e47b5abf08794d6b8b774f94eeb062f4 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6@DisplayName SPnP6 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6@FailureActions 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6@Description Allows SPnP devices to be hosted on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Reg HKLM\SYSTEM\CurrentControlSet\Services\SPnP6 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 64 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{340f1f57-4738-47b1-aa01-689c45a7b10f}@LeaseObtainedTime 1474385319 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{340f1f57-4738-47b1-aa01-689c45a7b10f}@T1 1474388919 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{340f1f57-4738-47b1-aa01-689c45a7b10f}@T2 1474391619 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{340f1f57-4738-47b1-aa01-689c45a7b10f}@LeaseTerminatesTime 1474392519 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xF2 0x4D 0x97 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xF2 0xB5 0x5B 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xF2 0xE5 0xD2 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 12098 12104 12114 12124 12144 12188 12198 12236 12242 12258 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 12264 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 12265 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 12098 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 12099 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds OperaSoftware.OperaWebBrowser.1469959407? ---- EOF - GMER 2.2 ----