GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-07 22:13:22 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 SAMSUNG_HD322HJ rev.1AC01110 298,09GB Running: zdvvu5hk.exe; Driver: C:\Users\Krzychu\AppData\Local\Temp\kwrdipob.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 83093339 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830CCD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x88D57774] ? C:\Windows\System32\Drivers\a6i0tj5p.SYS suspicious PE modification ? C:\Program Files\UCBrowser\Security Odmowa dostêpu. .text C:\Program Files\Alcohol Soft\Alcohol 52\Alcoholx.dll section is writeable [0x77D11000, 0x152A2, 0xE0000020] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\CCleaner\CCleaner.exe[2364] USER32.dll!SetScrollRange 766D8EC5 5 Bytes JMP 00A5A9BE C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2364] USER32.dll!GetScrollInfo 766E2DA3 5 Bytes JMP 00A5A945 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2364] USER32.dll!SetScrollInfo 766E48DA 5 Bytes JMP 00A5A9FB C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2364] USER32.dll!GetScrollRange 7670045A 5 Bytes JMP 00A5A8DC C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2364] USER32.dll!SetScrollPos 767004BE 5 Bytes JMP 00A5A8B1 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2364] USER32.dll!GetScrollPos 76700E43 5 Bytes JMP 00A5A91A C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2364] USER32.dll!EnableScrollBar 767019CE 5 Bytes JMP 00A5AA35 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2364] USER32.dll!ShowScrollBar 76703C89 5 Bytes JMP 00A5A97E C:\Program Files\CCleaner\CCleaner.exe .text C:\Windows\Explorer.EXE[3732] kernel32.dll!CreateProcessInternalW 7698DE78 5 Bytes JMP 7146D92B C:\Program Files\Rerkuy\Prasoied.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3896] ntdll.dll!LdrLoadDll 77C122B8 5 Bytes JMP 74EA8290 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3896] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76988996 7 Bytes JMP 5543D9FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3896] kernel32.dll!GetEnvironmentStringsA + 11 76992FB1 7 Bytes JMP 5543E8D2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3896] kernel32.dll!BaseThreadInitThunk + C9 76993CFC 7 Bytes JMP 5513AE7F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3896] USER32.dll!CreateWindowExA 766DBF40 5 Bytes JMP 555BDDBF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3896] USER32.dll!CreateWindowExW 766DEC7C 5 Bytes JMP 550F5294 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3896] USER32.dll!GetWindowInfo 766E4B5E 5 Bytes JMP 560630ED C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3896] GDI32.dll!GetViewportOrgEx + 26C 763E884B 7 Bytes JMP 5543D405 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtCreateFile + 6 77BF55CE 4 Bytes [28, AC, 89, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtCreateFile + B 77BF55D3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenFile + 6 77BF5CDE 4 Bytes [68, AC, 89, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenFile + B 77BF5CE3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenProcess + 6 77BF5D8E 4 Bytes [A8, AD, 89, 00] {TEST AL, 0xad; MOV [EAX], EAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenProcess + B 77BF5D93 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenProcessToken + B 77BF5DA3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenProcessTokenEx + 6 77BF5DAE 4 Bytes [A8, AE, 89, 00] {TEST AL, 0xae; MOV [EAX], EAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenProcessTokenEx + B 77BF5DB3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenThread + 6 77BF5E0E 4 Bytes [68, AD, 89, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenThread + B 77BF5E13 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenThreadToken + 6 77BF5E1E 4 Bytes [68, AE, 89, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenThreadToken + B 77BF5E23 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtOpenThreadTokenEx + B 77BF5E33 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtQueryAttributesFile + 6 77BF5F3E 4 Bytes [A8, AC, 89, 00] {TEST AL, 0xac; MOV [EAX], EAX} .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtQueryAttributesFile + B 77BF5F43 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtQueryFullAttributesFile + B 77BF5FF3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtSetInformationFile + 6 77BF663E 4 Bytes [28, AD, 89, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtSetInformationFile + B 77BF6643 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtSetInformationThread + 6 77BF669E 4 Bytes [28, AE, 89, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!NtSetInformationThread + B 77BF66A3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] ntdll.dll!LdrLoadDll 77C122B8 5 Bytes JMP 74EA8290 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76988996 7 Bytes JMP 5543D9FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] kernel32.dll!GetEnvironmentStringsA + 11 76992FB1 7 Bytes JMP 5543E8D2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] USER32.dll!CreateWindowExA 766DBF40 5 Bytes JMP 555BDDBF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] USER32.dll!CreateWindowExW 766DEC7C 5 Bytes JMP 550F5294 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5644] GDI32.dll!GetViewportOrgEx + 26C 763E884B 7 Bytes JMP 5543D405 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs 850601F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{B03EECAA-76F2-4A71-8A4C-2CD5645B1D15} 860571F8 Device \Driver\usbuhci \Device\USBPDO-0 863E61F8 Device \Driver\usbuhci \Device\USBPDO-1 863E61F8 Device \Driver\usbuhci \Device\USBPDO-2 863E61F8 Device \Driver\usbuhci \Device\USBPDO-3 863E61F8 Device \Driver\usbehci \Device\USBPDO-4 863E5440 Device \Driver\USBSTOR \Device\00000070 861B81F8 Device \Driver\USBSTOR \Device\00000071 861B81F8 Device \Driver\cdrom \Device\CdRom0 85E5A1F8 Device \Driver\USBSTOR \Device\00000072 861B81F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8505E1F8 Device \Driver\atapi \Device\Ide\IdePort0 8505E1F8 Device \Driver\atapi \Device\Ide\IdePort1 8505E1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 8505E1F8 Device \Driver\cdrom \Device\CdRom1 85E5A1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 860571F8 Device \Driver\PCI_PNP2613 \Device\0000004f sptd.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{3C1AA20A-6893-46BC-AC45-0667DC60DD83} 860571F8 Device \Driver\usbuhci \Device\USBFDO-0 863E61F8 Device \Driver\USBSTOR \Device\0000006d 861B81F8 Device \Driver\usbuhci \Device\USBFDO-1 863E61F8 Device \Driver\USBSTOR \Device\0000006e 861B81F8 Device \Driver\usbuhci \Device\USBFDO-2 863E61F8 Device \Driver\usbuhci \Device\USBFDO-3 863E61F8 Device \Driver\usbehci \Device\USBFDO-4 863E5440 Device \Driver\a6i0tj5p \Device\Scsi\a6i0tj5p1 864471F8 Device \Driver\a6i0tj5p \Device\Scsi\a6i0tj5p1Port2Path0Target0Lun0 864471F8 ---- Trace I/O - GMER 2.2 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8505e1f8]<< 8505e1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e3d9e8] 85e3d9e8 Trace 3 CLASSPNP.SYS[8950459e] -> nt!IofCallDriver -> [0x85031900] 85031900 Trace 5 ACPI.sys[88d7c3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85d6d908] 85d6d908 Trace \Driver\atapi[0x85d501c0] -> IRP_MJ_CREATE -> 0x8505e1f8 8505e1f8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0x7C 0x8C 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xBA 0x42 0x86 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA4 0x34 0xB5 0xCE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0x7C 0x8C 0xFE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xBA 0x42 0x86 0x93 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA4 0x34 0xB5 0xCE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures@UCBrowserUpdaterCore.job.fp -1245718759 ---- Files - GMER 2.2 ---- ADS C:\Program Files\UCBrowser\Security:ucdrv-x86.sys 39624 bytes executable <-- ROOTKIT !!! ADS C:\Program Files\UCBrowser\Security:x86 602512 bytes executable ADS C:\Windows\System32\drivers:ucdrv-x86.sys 39624 bytes executable ADS C:\Windows\System32\drivers:x86 602512 bytes executable ---- Services - GMER 2.2 ---- Service C:\Program Files\UCBrowser\Security:ucdrv-x86.sys [SYSTEM] ucdrv <-- ROOTKIT !!! ---- EOF - GMER 2.2 ----