GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-07 20:21:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AC1 465,76GB Running: yt7iqzx4.exe; Driver: C:\Users\marta\AppData\Local\Temp\uxldypow.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83685A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 836BF212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? System32\Drivers\spqn.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtCreateFile + 6 76FF560E 4 Bytes [28, F8, D5, 00] {SUB AL, BH; AAD 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtCreateFile + B 76FF5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtMapViewOfSection + 6 76FF5C6E 4 Bytes [28, FB, D5, 00] {SUB BL, BH; AAD 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtMapViewOfSection + B 76FF5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenFile + 6 76FF5D1E 4 Bytes [68, F8, D5, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenFile + B 76FF5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenProcess + 6 76FF5DCE 4 Bytes [A8, F9, D5, 00] {TEST AL, 0xf9; AAD 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenProcess + B 76FF5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenProcessToken + 6 76FF5DDE 4 Bytes CALL 760033DC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenProcessToken + B 76FF5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenProcessTokenEx + 6 76FF5DEE 4 Bytes [A8, FA, D5, 00] {TEST AL, 0xfa; AAD 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenProcessTokenEx + B 76FF5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenThread + 6 76FF5E4E 4 Bytes [68, F9, D5, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenThread + B 76FF5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenThreadToken + 6 76FF5E5E 4 Bytes [68, FA, D5, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenThreadToken + B 76FF5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenThreadTokenEx + 6 76FF5E6E 4 Bytes CALL 7600346D .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtOpenThreadTokenEx + B 76FF5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtQueryAttributesFile + 6 76FF5F7E 4 Bytes [A8, F8, D5, 00] {TEST AL, 0xf8; AAD 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtQueryAttributesFile + B 76FF5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtQueryFullAttributesFile + 6 76FF602E 4 Bytes CALL 7600362B .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtQueryFullAttributesFile + B 76FF6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtSetInformationFile + 6 76FF667E 4 Bytes [28, F9, D5, 00] {SUB CL, BH; AAD 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtSetInformationFile + B 76FF6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtSetInformationThread + 6 76FF66DE 4 Bytes [28, FA, D5, 00] {SUB DL, BH; AAD 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtSetInformationThread + B 76FF66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtUnmapViewOfSection + 6 76FF69FE 4 Bytes [68, FB, D5, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2872] ntdll.dll!NtUnmapViewOfSection + B 76FF6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtCreateFile + 6 76FF560E 4 Bytes [28, 1C, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtCreateFile + B 76FF5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtMapViewOfSection + 6 76FF5C6E 4 Bytes [28, 1F, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtMapViewOfSection + B 76FF5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenFile + 6 76FF5D1E 4 Bytes [68, 1C, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenFile + B 76FF5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenProcess + 6 76FF5DCE 4 Bytes [A8, 1D, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenProcess + B 76FF5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenProcessToken + 6 76FF5DDE 4 Bytes CALL 75FFB100 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenProcessToken + B 76FF5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenProcessTokenEx + 6 76FF5DEE 4 Bytes [A8, 1E, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenProcessTokenEx + B 76FF5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenThread + 6 76FF5E4E 4 Bytes [68, 1D, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenThread + B 76FF5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenThreadToken + 6 76FF5E5E 4 Bytes [68, 1E, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenThreadToken + B 76FF5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenThreadTokenEx + 6 76FF5E6E 4 Bytes CALL 75FFB191 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtOpenThreadTokenEx + B 76FF5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtQueryAttributesFile + 6 76FF5F7E 4 Bytes [A8, 1C, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtQueryAttributesFile + B 76FF5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtQueryFullAttributesFile + 6 76FF602E 4 Bytes CALL 75FFB34F .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtQueryFullAttributesFile + B 76FF6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtSetInformationFile + 6 76FF667E 4 Bytes [28, 1D, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtSetInformationFile + B 76FF6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtSetInformationThread + 6 76FF66DE 4 Bytes [28, 1E, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtSetInformationThread + B 76FF66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtUnmapViewOfSection + 6 76FF69FE 4 Bytes [68, 1F, 53, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4236] ntdll.dll!NtUnmapViewOfSection + B 76FF6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5652] ntdll.dll!NtMapViewOfSection + 6 76FF5C6E 4 Bytes [18, D0, CB, 6D] {SBB AL, DL; RETF ; INS DWORD [ES:EDI], DX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5652] ntdll.dll!NtMapViewOfSection + B 76FF5C73 1 Byte [E2] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [739E249F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [739C5652] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [739C5710] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [739E251A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [739D857E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [739D4D32] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [739D50D9] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [739D51AE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [739D66DB] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [739D82D5] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [739D8824] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [739D9085] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [739DE228] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[2336] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [739D4C64] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs 862EC1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{FAB8EDF7-DDA7-4EBF-8E3E-36EF1C77A271} 88ECD1F8 Device \Driver\BTHUSB \Device\0000008e bthport.sys Device \Driver\BTHUSB \Device\0000008e bthport.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\volmgr \Device\VolMgrControl 862E61F8 ---- Trace I/O - GMER 2.2 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spqn.sys halmacpi.dll >>UNKNOWN [0x862be938]<< 862be938 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88c28ac8] 88c28ac8 Trace 3 CLASSPNP.SYS[8d86c59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8703c028] 8703c028 ---- Threads - GMER 2.2 ---- Thread System [4:1536] A4DAEF2E ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@LastBootPlanUserTime ?Pn?, ?lis ?07 ?16, 07:30:10??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x16 0xA7 0x38 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE2 0xA5 0x62 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCE 0xAD 0x73 0x91 ... Reg HKLM\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000046@ProtocolName MSAFD NetBIOS [\Device\NetBT_Tcpip6_{2F2591B2-2EDD-428A-986B-6172DFB5F883}] SEQPACKET 2 Reg HKLM\SYSTEM\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000047@ProtocolName MSAFD NetBIOS [\Device\NetBT_Tcpip6_{2F2591B2-2EDD-428A-986B-6172DFB5F883}] DATAGRAM 2 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x16 0xA7 0x38 0x67 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE2 0xA5 0x62 0xDF ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCE 0xAD 0x73 0x91 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate@LastRestorePointSetTime 2015-12-03 17:12:33 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Users\marta\AppData\Roaming\Microsoft\Windows\Recent\IMG_9459.lnk 0 bytes ---- EOF - GMER 2.2 ----