GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-24 10:13:49 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0006 465,76GB Running: 58did7pn.exe; Driver: C:\Users\MAREKA~1\AppData\Local\Temp\uxlirpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88006f1ec34 12 bytes {MOV RAX, 0xfffffa8006aa42a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\IePluginService\PluginService.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\ProgramData\IePluginService\PluginService.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\ProgramData\WPM\wprotectmanager.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\ProgramData\WPM\wprotectmanager.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe[1892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[2752] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[2752] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Users\Marek Atłachowicz\AppData\Roaming\ICQM\icq.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Users\Marek Atłachowicz\AppData\Roaming\ICQM\icq.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Program Files (x86)\ChomikBox\chomikbox.exe[4824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Program Files (x86)\ChomikBox\chomikbox.exe[4824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Windows\SysWOW64\RunDll32.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Windows\SysWOW64\RunDll32.exe[1340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Windows\SysWOW64\OTL.exe[1016] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Windows\SysWOW64\OTL.exe[1016] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Program Files (x86)\Last.fm\Last.fm Scrobbler.exe[5456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Program Files (x86)\Last.fm\Last.fm Scrobbler.exe[5456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Program Files (x86)\qualitink\updatequalitink.exe[888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Program Files (x86)\qualitink\updatequalitink.exe[888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 .text C:\Program Files (x86)\qualitink\bin\utilqualitink.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c31465 2 bytes [C3, 74] .text C:\Program Files (x86)\qualitink\bin\utilqualitink.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c314bb 2 bytes [C3, 74] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010aded8] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010adc7c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010ae658] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010aea54] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010ae8b0] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80035272c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006c462c0 Device \Driver\cdrom \Device\CdRom0 fffffa80064172c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A3BBF46B-A159-4BF4-B070-5D52FC44EA02} fffffa80069152c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006c462c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{FCCB9CFF-7B76-46F5-A504-F6C1EE5BE0D5} fffffa80069152c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006c462c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2A68F1C2-1394-42F2-AD2B-A250EA5BA904} fffffa80069152c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80069152c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006c462c0 ---- Threads - GMER 2.1 ---- Thread [3764:3772] 000007fef8866e50 Thread [3764:3880] 000007fef63e11e0 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5552:5576] 0000000076667587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5552:5608] 000000006bd40cb3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5552:5816] 0000000076ff41fa Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5552:6140] 0000000076ff6689 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5552:1460] 0000000076ff6689 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [5552:1760] 0000000076ff6689 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WPM\wprotectmanager.exe (*** suspicious ***) @ C:\ProgramData\WPM\wprotectmanager.exe [1652] (WPM Service/Cherished Technololgy LIMITED)(2 00000000011d0000 Process C:\Users\Marek Atłachowicz\AppData\Local\UpdateChecker\UpdateCheckerApp.exe (*** suspicious ***) @ C:\Users\Marek Atłachowicz\AppData\Local\UpdateChecker\UpdateCheckerApp.exe [4284](2014-02-18 04:54:56) 0000000000ad0000 Library C:\Users\Marek Atłachowicz\AppData\Roaming\ICQM\vivo.dll (*** suspicious ***) @ C:\Users\Marek Atłachowicz\AppData\Roaming\ICQM\icq.exe [4584] (vivo Dynamic Link Library - icq build 2011/goober Networks, Inc.)(2013-03-18 21:54:59) 000000006c450000 Library C:\Users\Marek Atłachowicz\AppData\Roaming\ICQM\ICQ\dll\YLUSBTEL.dll (*** suspicious ***) @ C:\Users\Marek Atłachowicz\AppData\Roaming\ICQM\icq.exe [4584](2013-03-18 21:54:59) 000000000a4f0000 Library C:\Users\Marek Atłachowicz\AppData\Roaming\ICQM\ICQ\dll\MousePhone.dll (*** suspicious ***) @ C:\Users\Marek Atłachowicz\AppData\Roaming\ICQM\icq.exe [4584] (BT Mouse Phone/ )(2013-03-18 21:54:59) 00000000085f0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076a27b11 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffad6cdba Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2E 0x69 0x4F 0x83 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x18 0xBB 0x17 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{FCCB9CFF-7B76-46F5-A504-F6C1EE5BE0D5}@LeaseObtainedTime 1398294276 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{FCCB9CFF-7B76-46F5-A504-F6C1EE5BE0D5}@T1 1398726276 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{FCCB9CFF-7B76-46F5-A504-F6C1EE5BE0D5}@T2 1399050276 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{FCCB9CFF-7B76-46F5-A504-F6C1EE5BE0D5}@LeaseTerminatesTime 1399158276 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076a27b11 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffad6cdba (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2E 0x69 0x4F 0x83 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0xF0 0xDD 0x0B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x04 0x8A 0xB6 0x18 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB5 0x13 0x62 0xFD ... ---- EOF - GMER 2.1 ----