GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-20 13:16:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: wlsc54he.exe; Driver: C:\Users\Paulinka\AppData\Local\Temp\ffldypog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077e7fab8 5 bytes JMP 00000000752128d0 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077e80048 5 bytes JMP 0000000075212890 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000771b1401 2 bytes JMP 769eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000771b1419 2 bytes JMP 769eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000771b1431 2 bytes JMP 76a69149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000771b144a 2 bytes CALL 769c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771b14dd 2 bytes JMP 76a68a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771b14f5 2 bytes JMP 76a68c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000771b150d 2 bytes JMP 76a68938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000771b1525 2 bytes JMP 76a68d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000771b153d 2 bytes JMP 769dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000771b1555 2 bytes JMP 769e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000771b156d 2 bytes JMP 76a69201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000771b1585 2 bytes JMP 76a68d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000771b159d 2 bytes JMP 76a688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771b15b5 2 bytes JMP 769dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771b15cd 2 bytes JMP 769eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771b16b2 2 bytes JMP 76a690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771b16bd 2 bytes JMP 76a68891 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [3808] entry point in ".rdata" section 00000000743071e6 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff8800435cd40] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [77e30000] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77e30000] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\System32\USER32.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\System32\ole32.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77e30000] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\system32\CRYPTBASE.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\system32\rsaenh.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\system32\bcryptprimitives.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77e30000] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [77e30000] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\system32\SETUPAPI.dll[ntdll.dll!NtClose] [77e30010] IAT C:\Windows\system32\AUDIODG.EXE[1200] @ C:\Windows\System32\CRYPT32.dll[ntdll.dll!NtClose] [77e30010] ---- Modules - GMER 2.2 ---- Module \??\C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys fffff88004426000-fffff88004434000 (57344 bytes) ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\spoolsv.exe [1828:5104] 000007feec1f10c8 Thread C:\Windows\System32\spoolsv.exe [1828:2032] 000007feeb896144 Thread C:\Windows\System32\spoolsv.exe [1828:5076] 000007feeb845fd0 Thread C:\Windows\System32\spoolsv.exe [1828:2172] 000007feec073438 Thread C:\Windows\System32\spoolsv.exe [1828:4556] 000007feeb8463ec Thread C:\Windows\System32\spoolsv.exe [1828:4616] 000007feec4c5e5c Thread C:\Windows\System32\spoolsv.exe [1828:4628] 000007feeba45060 Thread C:\Windows\System32\rundll32.exe [2548:2892] 000007fef5cd2154 Thread C:\Windows\System32\svchost.exe [4592:6716] 000007feeb959688 Thread C:\Windows\System32\WUDFHost.exe [5300:5372] 000007feeb7024a0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076a107a4 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076a107a4@c442021aae15 0xD3 0xE4 0x9D 0x9D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076a107a4@0011671116d8 0x82 0x22 0x8B 0x82 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076a107a4@a1230903059c 0xD0 0xD0 0xAA 0x7A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076a107a4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076a107a4@c442021aae15 0xD3 0xE4 0x9D 0x9D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076a107a4@0011671116d8 0x82 0x22 0x8B 0x82 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076a107a4@a1230903059c 0xD0 0xD0 0xAA 0x7A ... Reg HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice@Progid ChromeHTML Reg HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice@Progid ChromeHTML ---- Files - GMER 2.2 ---- ADS C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys 47304 bytes executable <-- ROOTKIT !!! ADS C:\Program Files (x86)\UCBrowser\Security:x64 739728 bytes executable ADS C:\Program Files (x86)\UCBrowser\Security:x86 602512 bytes executable ---- Services - GMER 2.2 ---- Service C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [SYSTEM] ucdrv <-- ROOTKIT !!! ---- EOF - GMER 2.2 ----