GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-10 19:15:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk3\DR3 -> \Device\Ide\IdeDeviceP3T1L0-9 OCZ-AGILITY3 rev.2.15 111,79GB Running: d6ehnqm5.exe; Driver: x:\temp\Temp\uxldipog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001b3e00 7 bytes [00, 96, F3, FF, 01, A1, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960001b3e08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd7145c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd719480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd73e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd73e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\Explorer.EXE[1852] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd7145c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\Explorer.EXE[1852] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd719480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\Explorer.EXE[1852] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd73e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\Explorer.EXE[1852] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd73e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2128] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefd7145c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2128] C:\Windows\system32\ws2_32.dll!getsockname 000007fefd719480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2128] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefd73e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\UltraMon\UltraMonTaskbar.exe[2128] C:\Windows\system32\ws2_32.dll!getpeername 000007fefd73e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075212aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2576] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075212aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2660] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075212aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2696] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075212aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[3196] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075212aa4 5 bytes JMP 0000000142f10ffc .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000757d1465 2 bytes [7D, 75] .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000757d14bb 2 bytes [7D, 75] .text ... * 2 .text C:\Program Files (x86)\Maxthon3\Bin\Maxthon.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075212aa4 5 bytes JMP 0000000142f10ffc ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBD 0x81 0xC7 0x48 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x00 0xB2 0xB9 0xB4 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x77 0x50 0x02 0x9F ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x76 0x23 0x58 0x6E ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x03 0xDA 0x41 0xE0 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF5 0x6E 0x14 0xBF ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA4 0xD7 0xC8 0xEF ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE9 0xC0 0xB6 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3C 0x13 0x5E 0xEC ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF5 0x6E 0x14 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x47 0x1F 0x99 0x71 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE9 0xC0 0xB6 0x99 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3C 0x13 0x5E 0xEC ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF5 0x6E 0x14 0xBF ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x47 0x1F 0x99 0x71 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows@UserSelectedDefault 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows@ENW7MThreadingNum 75675;65 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows@Device Brother DCP-385C Printer,winspool,Ne01: Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows@Load C:\NTKernel\nt32.exe ---- EOF - GMER 2.1 ----