GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-19 18:09:50 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 Hitachi_HDS721616PLA380 rev.P22OA70A 153,39GB Running: 84r5up3g.exe; Driver: C:\Users\zby\AppData\Local\Temp\uwldypow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\athsgt.sys section is writeable [0xA15D4300, 0x21F20, 0xE8000020] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742F7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7434A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [742FBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [742EF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [742F75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [742EE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74328395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [742FDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [742EFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [742EFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [742E71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7437CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7431C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [742ED968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [742E6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [742E687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\Explorer.EXE[304] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [742F2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-2 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort4 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort5 sfsync02.sys Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl sfsync02.sys Device \Driver\dtsoftbus01 \Device\00000086 sfsync02.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\zby\AppData\Local\Temp\MSNET-7e2779a5.NVX?? Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@MemoryCacheSize 361171626 Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@LastBootPlanUserTime Pt, lip 19 13, 03:54:59???????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\Ecache\Parameters@LastBootPlanTime 0x87 0x84 0xCE 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\nvsvc@ImagePath C:\Windows\system32\nvvsvc.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\nvsvc Reg HKLM\SYSTEM\CurrentControlSet\Services\nvUpdatusService@ImagePath C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\nvUpdatusService@DelayedAutostart 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\nvUpdatusService Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 15489 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC1 0x61 0xA8 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xAC 0x92 0x8A 0x9A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{500E8F66-043A-441A-8028-FF20A95C1AA9}@LeaseObtainedTime 1374241957 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{500E8F66-043A-441A-8028-FF20A95C1AA9}@T1 1374245557 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{500E8F66-043A-441A-8028-FF20A95C1AA9}@T2 1374248257 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{500E8F66-043A-441A-8028-FF20A95C1AA9}@LeaseTerminatesTime 1374249157 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC1 0x61 0xA8 0x67 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xAC 0x92 0x8A 0x9A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC1 0x61 0xA8 0x67 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xAC 0x92 0x8A 0x9A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)