GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-05 13:36:06 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 SAMSUNG_HD322HJ rev.1AC01110 298,09GB Running: texycsx3.exe; Driver: C:\Users\Krzychu\AppData\Local\Temp\kwrdipob.sys ---- System - GMER 2.2 ---- SSDT \??\C:\Windows\System32\drivers\zamguard32.sys ZwOpenProcess [0xA08CB104] SSDT \??\C:\Windows\System32\drivers\zamguard32.sys ZwTerminateProcess [0xA08CB252] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 8307F339 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830B8D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 830C0094 4 Bytes [04, B1, 8C, A0] .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 830C0364 4 Bytes [52, B2, 8C, A0] .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x88D58774] ? C:\Windows\System32\Drivers\as34pa87.SYS suspicious PE modification .text C:\Program Files\Alcohol Soft\Alcohol 52\Alcoholx.dll section is writeable [0x77811000, 0x152A2, 0xE0000020] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtCreateFile + 6 776F55CE 4 Bytes [28, 24, 47, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtCreateFile + B 776F55D3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenFile + 6 776F5CDE 4 Bytes [68, 24, 47, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenFile + B 776F5CE3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenProcess + 6 776F5D8E 4 Bytes [A8, 25, 47, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenProcess + B 776F5D93 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenProcessToken + B 776F5DA3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenProcessTokenEx + 6 776F5DAE 4 Bytes [A8, 26, 47, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenProcessTokenEx + B 776F5DB3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenThread + 6 776F5E0E 4 Bytes [68, 25, 47, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenThread + B 776F5E13 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenThreadToken + 6 776F5E1E 4 Bytes [68, 26, 47, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenThreadToken + B 776F5E23 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtOpenThreadTokenEx + B 776F5E33 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtQueryAttributesFile + 6 776F5F3E 4 Bytes [A8, 24, 47, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtQueryAttributesFile + B 776F5F43 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtQueryFullAttributesFile + B 776F5FF3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtSetInformationFile + 6 776F663E 4 Bytes [28, 25, 47, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtSetInformationFile + B 776F6643 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtSetInformationThread + 6 776F669E 4 Bytes [28, 26, 47, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!NtSetInformationThread + B 776F66A3 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!LdrLoadDll 777122B8 5 Bytes JMP 71B98290 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76AF8996 7 Bytes JMP 5BFED9FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] kernel32.dll!GetEnvironmentStringsA + 11 76B02FB1 7 Bytes JMP 5BFEE8D2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] USER32.dll!CreateWindowExA 7781BF40 5 Bytes JMP 5C16DDBF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] USER32.dll!CreateWindowExW 7781EC7C 5 Bytes JMP 5BCA5294 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1808] GDI32.dll!GetViewportOrgEx + 26C 7695884B 7 Bytes JMP 5BFED405 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Zemana AntiMalware\ZAM.exe[2448] kernel32.dll!CreateThread + 1C 76B03779 4 Bytes CALL 0124685D C:\Program Files\Zemana AntiMalware\ZAM.exe .text C:\Program Files\CCleaner\CCleaner.exe[3092] USER32.dll!SetScrollRange 77818EC5 5 Bytes JMP 00D2A9BE C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3092] USER32.dll!GetScrollInfo 77822DA3 5 Bytes JMP 00D2A945 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3092] USER32.dll!SetScrollInfo 778248DA 5 Bytes JMP 00D2A9FB C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3092] USER32.dll!GetScrollRange 7784045A 5 Bytes JMP 00D2A8DC C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3092] USER32.dll!SetScrollPos 778404BE 5 Bytes JMP 00D2A8B1 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3092] USER32.dll!GetScrollPos 77840E43 5 Bytes JMP 00D2A91A C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3092] USER32.dll!EnableScrollBar 778419CE 5 Bytes JMP 00D2AA35 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3092] USER32.dll!ShowScrollBar 77843C89 5 Bytes JMP 00D2A97E C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\Zemana AntiMalware\ZAM.exe[3836] kernel32.dll!CreateThread + 1C 76B03779 4 Bytes CALL 0124685D C:\Program Files\Zemana AntiMalware\ZAM.exe .text C:\Program Files\Mozilla Firefox\firefox.exe[5892] ntdll.dll!LdrLoadDll 777122B8 5 Bytes JMP 71B98290 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5892] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76AF8996 7 Bytes JMP 5BFED9FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5892] kernel32.dll!GetEnvironmentStringsA + 11 76B02FB1 7 Bytes JMP 5BFEE8D2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5892] kernel32.dll!BaseThreadInitThunk + C9 76B03CFC 7 Bytes JMP 5BCEAE7F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5892] USER32.dll!CreateWindowExA 7781BF40 5 Bytes JMP 5C16DDBF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5892] USER32.dll!CreateWindowExW 7781EC7C 5 Bytes JMP 5BCA5294 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5892] USER32.dll!GetWindowInfo 77824B5E 5 Bytes JMP 5CC130ED C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5892] GDI32.dll!GetViewportOrgEx + 26C 7695884B 7 Bytes JMP 5BFED405 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs 850601F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{B03EECAA-76F2-4A71-8A4C-2CD5645B1D15} 8617B1F8 Device \Driver\PCI_PNP0661 \Device\00000050 sptd.sys Device \Driver\usbuhci \Device\USBPDO-0 86317440 Device \Driver\usbuhci \Device\USBPDO-1 86317440 Device \Driver\usbuhci \Device\USBPDO-2 86317440 Device \Driver\usbuhci \Device\USBPDO-3 86317440 Device \Driver\usbehci \Device\USBPDO-4 86438440 Device \Driver\USBSTOR \Device\00000070 86B7E1F8 Device \Driver\USBSTOR \Device\00000071 86B7E1F8 Device \Driver\USBSTOR \Device\00000072 86B7E1F8 Device \Driver\cdrom \Device\CdRom0 8621B1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8505E1F8 Device \Driver\atapi \Device\Ide\IdePort0 8505E1F8 Device \Driver\atapi \Device\Ide\IdePort1 8505E1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 8505E1F8 Device \Driver\USBSTOR \Device\00000073 86B7E1F8 Device \Driver\cdrom \Device\CdRom1 8621B1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8617B1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{3C1AA20A-6893-46BC-AC45-0667DC60DD83} 8617B1F8 Device \Driver\usbuhci \Device\USBFDO-0 86317440 Device \Driver\usbuhci \Device\USBFDO-1 86317440 Device \Driver\usbuhci \Device\USBFDO-2 86317440 Device \Driver\USBSTOR \Device\0000006f 86B7E1F8 Device \Driver\usbuhci \Device\USBFDO-3 86317440 Device \Driver\usbehci \Device\USBFDO-4 86438440 Device \Driver\as34pa87 \Device\Scsi\as34pa871Port2Path0Target0Lun0 8646F1F8 Device \Driver\as34pa87 \Device\Scsi\as34pa871 8646F1F8 ---- Trace I/O - GMER 2.2 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8505e1f8]<< 8505e1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e3d6a8] 85e3d6a8 Trace 3 CLASSPNP.SYS[8949f59e] -> nt!IofCallDriver -> [0x85d97918] 85d97918 Trace 5 ACPI.sys[88d7d3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85d71908] 85d71908 Trace \Driver\atapi[0x85d55db8] -> IRP_MJ_CREATE -> 0x8505e1f8 8505e1f8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0x7C 0x8C 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xBA 0x42 0x86 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA4 0x34 0xB5 0xCE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0x7C 0x8C 0xFE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xBA 0x42 0x86 0x93 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA4 0x34 0xB5 0xCE ... ---- Files - GMER 2.2 ---- ADS C:\Windows\System32\drivers:ucdrv-x86.sys 39624 bytes executable ADS C:\Windows\System32\drivers:x86 602512 bytes executable File C:\Windows\Temp\TMP00000014F2A6F49A5F963BBE 0 bytes ---- EOF - GMER 2.2 ----