GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-22 19:50:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: vr71jz2m.exe; Driver: C:\Users\Samsung\AppData\Local\Temp\pxrorfoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800031eb000 8 bytes [00, 00, 10, 02, 4E, 74, 66, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 576 fffff800031eb010 29 bytes [45, 07, E8, 00, 80, FA, FF, ...] PAGE C:\windows\system32\drivers\ataport.SYS!DllUnload fffff8800147f4a0 12 bytes {MOV RAX, 0xfffffa80035072a0; JMP RAX} PAGE C:\windows\system32\drivers\PCIIDEX.SYS!DllUnload fffff880014a0a50 12 bytes {MOV RAX, 0xfffffa80035262a0; JMP RAX} .text C:\windows\system32\drivers\USBPORT.SYS!DllUnload fffff880030bcd64 12 bytes {MOV RAX, 0xfffffa80048fb2a0; JMP RAX} .text C:\windows\System32\win32k.sys!W32pServiceTable fffff96000124000 7 bytes [80, 93, F3, FF, 01, 9D, F0] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000124008 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1568] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075df87b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1568] C:\windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000764c1465 2 bytes [4C, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1568] C:\windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000764c14bb 2 bytes [4C, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1712] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764c1465 2 bytes [4C, 76] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1712] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764c14bb 2 bytes [4C, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2332] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764c1465 2 bytes [4C, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2332] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764c14bb 2 bytes [4C, 76] .text ... * 2 .text C:\Program Files (x86)\Anti-AD Guard 2.1 Pro\adguard.exe[3660] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764c1465 2 bytes [4C, 76] .text C:\Program Files (x86)\Anti-AD Guard 2.1 Pro\adguard.exe[3660] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764c14bb 2 bytes [4C, 76] .text ... * 2 .text C:\windows\SysWOW64\RunDll32.exe[1596] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764c1465 2 bytes [4C, 76] .text C:\windows\SysWOW64\RunDll32.exe[1596] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764c14bb 2 bytes [4C, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4144] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764c1465 2 bytes [4C, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4144] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764c14bb 2 bytes [4C, 76] .text ... * 2 .text C:\windows\SysWOW64\svchost.exe[4688] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000764c1465 2 bytes [4C, 76] .text C:\windows\SysWOW64\svchost.exe[4688] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764c14bb 2 bytes [4C, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800109df1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800109dcc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800109e69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800109ea98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800109e8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8003e872c0 Device \FileSystem\fastfat \Fat fffffa8007fa62c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{5115C374-6E2B-4C64-99A8-D9F1CFEC6CB9} fffffa800498e2c0 Device \Driver\USBSTOR \Device\0000009a fffffa8006fe42c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800686f2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80047f62c0 Device \Driver\USBSTOR \Device\0000009b fffffa8006fe42c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800686f2c0 Device \Driver\USBSTOR \Device\00000099 fffffa8006fe42c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800686f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{4429F63D-F174-400C-A538-359BF4088D05} fffffa800498e2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800498e2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800686f2c0 ---- Threads - GMER 2.1 ---- Thread C:\windows\System32\svchost.exe [2068:2608] 000007fef8869688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002454f1e1f0 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971071cd6 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e0ca94433764 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e839df1ff857 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4D 0x10 0x90 0x14 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002454f1e1f0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971071cd6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e0ca94433764 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e839df1ff857 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4D 0x10 0x90 0x14 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----