GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-04-14 21:34:50 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD1600JS-60NCB1 rev.10.02E02 149,05GB Running: jhnmqgsg.exe; Driver: C:\Users\UZYTKO~1\AppData\Local\Temp\pxldapow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8E0263D4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x8E0E39F4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAlpcSendWaitReceivePort [0x8E0290E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8E026EB2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8E03328A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8E0332D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8E033470] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8E0331F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8E0E3DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8E033240] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8E0E405E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8E03342A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8E027CA0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8E02643A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwDuplicateObject [0x8E0E424C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0x8E0E3ACC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwLoadDriver [0x8E0E0C5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8E0E3EAE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8E0264A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8E02B228] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8E0287E4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8E0332B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8E0332F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8E033494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8E03321E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8E02A72A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8E0333A8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8E033268] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8E02AB16] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8E03344E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8E0E3C4C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8E0285FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0x8E028152] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwReplyWaitReceivePort [0x8E02D1A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwReplyWaitReceivePortEx [0x8E0290B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8E026506] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8E02656C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8E0E3FAA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8E0260C0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8E026292] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8E026220] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8E027E6A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8E027FCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8E02631A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8E0E3D1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8E027AFA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0x8E0E0C8C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8E0265D2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8E0E3B7E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8E0E4148] INT 0x52 ? 868D8CB8 INT 0x62 ? 868D8CB8 INT 0x92 ? 84C98CB8 INT 0xA2 ? 84C98CB8 INT 0xB3 ? 868D8CB8 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 82CAE778 4 Bytes [D4, 63, 02, 8E] .text ntkrnlpa.exe!KeSetEvent + 131 82CAE79C 4 Bytes [F4, 39, 0E, 8E] .text ntkrnlpa.exe!KeSetEvent + 181 82CAE7EC 4 Bytes CALL 855BC873 .text ntkrnlpa.exe!KeSetEvent + 191 82CAE7FC 4 Bytes CALL 85399A83 .text ntkrnlpa.exe!KeSetEvent + 1D1 82CAE83C 8 Bytes [8A, 32, 03, 8E, D6, 32, 03, ...] {MOV DH, [EDX]; ADD ECX, [ESI-0x71fccd2a]} .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x80747FEE] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8CE05000, 0x38E905, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1312] ntdll.dll!LdrLoadDll 778393BE 5 Bytes JMP 604BA78B C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1312] ntdll.dll!LdrUnloadDll 7784B620 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[1312] KERNEL32.dll!HeapSetInformation + 26 7639A9A0 7 Bytes JMP 58E8030F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1312] KERNEL32.dll!LockResource + C 763B6C73 7 Bytes JMP 591163D9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1312] KERNEL32.dll!VirtualAllocEx + 54 763BB0F0 7 Bytes JMP 59116DF6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1312] USER32.dll!CreateWindowExA 761FDC2A 5 Bytes JMP 591FD515 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1312] USER32.dll!CreateWindowExW 76201305 5 Bytes JMP 58E5F5F8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1312] USER32.dll!GetWindowInfo 7620428E 5 Bytes JMP 59C8BE60 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1312] GDI32.dll!Rectangle + AE 769C7C4F 7 Bytes JMP 59115D25 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1676] kernel32.dll!SetUnhandledExceptionFilter 7639A9A5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[2296] kernel32.dll!SetUnhandledExceptionFilter 7639A9A5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\CCleaner\CCleaner.exe[2776] USER32.dll!SetScrollRange 761FD185 5 Bytes JMP 010D62A9 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2776] USER32.dll!GetScrollInfo 761FF073 5 Bytes JMP 010D623C C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2776] USER32.dll!ShowScrollBar 761FF8AE 5 Bytes JMP 010D626F C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2776] USER32.dll!SetScrollInfo 762071D8 5 Bytes JMP 010D62E0 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2776] USER32.dll!EnableScrollBar 7621AF53 5 Bytes JMP 010D6314 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2776] USER32.dll!GetScrollPos 7622337D 5 Bytes JMP 010D6217 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2776] USER32.dll!GetScrollRange 762234A5 5 Bytes JMP 010D61DF C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2776] USER32.dll!SetScrollPos 76223602 5 Bytes JMP 010D61BA C:\Program Files\CCleaner\CCleaner.exe ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 84C9F1F8 Device \Driver\usbuhci \Device\USBPDO-0 868FC1F8 Device \Driver\usbuhci \Device\USBPDO-1 868FC1F8 Device \Driver\usbuhci \Device\USBPDO-2 868FC1F8 Device \Driver\USBSTOR \Device\00000060 86996440 Device \Driver\usbuhci \Device\USBPDO-3 868FC1F8 Device \Driver\USBSTOR \Device\00000061 86996440 Device \Driver\usbehci \Device\USBPDO-4 868FE1F8 Device \Driver\tdx \Device\Tcp aswStmXP.sys AttachedDevice \Driver\tdx \Device\Tcp aswRdr.sys Device \Driver\USBSTOR \Device\00000062 86996440 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 ngvss.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 ngvss.sys Device \Driver\cdrom \Device\CdRom0 869051F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84C9E1F8 Device \Driver\atapi \Device\Ide\IdePort0 84C9E1F8 Device \Driver\atapi \Device\Ide\IdePort1 84C9E1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 84C9E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 ngvss.sys Device \Driver\tdx \Device\RawIp6 aswStmXP.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 ngvss.sys Device \Driver\netbt \Device\NetBT_Tcpip_{9837277D-840E-4B00-89A3-FDDB0C198B84} 86D75440 AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 ngvss.sys Device \Driver\tdx \Device\Tcp6 aswStmXP.sys Device \Driver\netbt \Device\NetBt_Wins_Export 86D75440 Device \Driver\Smb \Device\NetbiosSmb 86E281F8 Device \Driver\tdx \Device\Tdx aswStmXP.sys Device \Driver\iScsiPrt \Device\RaidPort0 869B01F8 Device \Driver\tdx \Device\Udp aswStmXP.sys Device \Driver\tdx \Device\RawIp aswStmXP.sys Device \Driver\USBSTOR \Device\0000005e 86996440 Device \Driver\USBSTOR \Device\0000005f 86996440 Device \Driver\usbuhci \Device\USBFDO-0 868FC1F8 Device \Driver\usbuhci \Device\USBFDO-1 868FC1F8 Device \Driver\tdx \Device\Udp6 aswStmXP.sys Device \Driver\usbuhci \Device\USBFDO-2 868FC1F8 Device \Driver\usbuhci \Device\USBFDO-3 868FC1F8 Device \Driver\usbehci \Device\USBFDO-4 868FE1F8 Device \FileSystem\cdfs \Cdfs 87B85440 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84c9e1f8]<< 84c9e1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x860c0850] 860c0850 Trace 3 CLASSPNP.SYS[88dc18b3] -> nt!IofCallDriver -> [0x85089918] 85089918 Trace 5 acpi.sys[807746bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84d20030] 84d20030 Trace \Driver\atapi[0x84cde2b0] -> IRP_MJ_CREATE -> 0x84c9e1f8 84c9e1f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 ---- EOF - GMER 2.1 ----