GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-18 14:36:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006a ST350041 rev.CC35 465,76GB Running: ghp9juvk.exe; Driver: C:\Users\Kolbe\AppData\Local\Temp\kwddykod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff8800ff3ad24 12 bytes {MOV RAX, 0xfffffa8004bd62a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\services.exe[616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[760] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[900] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075fda322 1 byte [62] .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1140] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Program Files (x86)\netcut\services\AIPS.exe[1344] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075fda322 1 byte [62] .text C:\Program Files (x86)\netcut\services\AIPS.exe[1344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000754b1465 2 bytes [4B, 75] .text C:\Program Files (x86)\netcut\services\AIPS.exe[1344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754b14bb 2 bytes [4B, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[1888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075fda322 1 byte [62] .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[1952] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075fda322 1 byte [62] .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000754b1465 2 bytes [4B, 75] .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[1952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754b14bb 2 bytes [4B, 75] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2028] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075fda322 1 byte [62] .text C:\Windows\system32\svchost.exe[2160] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\SysWOW64\NLSSRV32.EXE[3132] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075fda322 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3408] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3740] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075fda322 1 byte [62] .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[3788] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075fda322 1 byte [62] .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[3788] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_http_auth_create_response + 294 000000006ab32c36 4 bytes [24, D9, B9, 68] .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[3788] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_mp4_read_dec_config_descr + 435 000000006ab37e43 4 bytes [74, 4C, 09, 66] .text C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe[3788] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_nut_add_sp + 70 000000006ab75de6 4 bytes [20, EF, B9, 68] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[3964] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075fda322 1 byte [62] .text C:\Windows\system32\svchost.exe[3984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\conhost.exe[3896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Windows\explorer.exe[1468] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707eecd 1 byte [62] .text C:\Users\Kolbe\Downloads\ghp9juvk.exe[3632] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075fda322 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IofCallDriver] [fffff88001073710] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001056f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001056cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800105769c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001057a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010578f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800419a2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800419a2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800419a2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa800419a2c0 Device \Driver\ayxmmh0p \Device\Scsi\ayxmmh0p1Port5Path0Target0Lun0 fffffa8004d3b2c0 Device \Driver\ayxmmh0p \Device\Scsi\ayxmmh0p1 fffffa8004d3b2c0 Device \FileSystem\Ntfs \Ntfs fffffa80041a22c0 Device \FileSystem\fastfat \Fat fffffa8005f822c0 Device \Driver\nvstor \Device\0000006a fffffa800419c2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004d0b2c0 Device \Driver\nvstor \Device\RaidPort0 fffffa800419c2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80049882c0 Device \Driver\nvstor \Device\RaidPort1 fffffa800419c2c0 Device \Driver\cdrom \Device\CdRom1 fffffa80049882c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004cd62c0 Device \Driver\nvstor \Device\0000006c fffffa800419c2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004d0b2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004ad52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{4ACB4215-3E64-408A-A62D-BCD46EE2C372} fffffa8004ad52c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800419a2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004cd62c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800419a2c0 Device \Driver\nvstor \Device\ScsiPort2 fffffa800419c2c0 Device \Driver\nvstor \Device\ScsiPort3 fffffa800419c2c0 Device \Driver\atapi \Device\ScsiPort4 fffffa800419a2c0 Device \Driver\ayxmmh0p \Device\ScsiPort5 fffffa8004d3b2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800419c2c0]<< sptd.sys storport.sys hal.dll nvstor.sys fffffa800419c2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80044c5060] fffffa80044c5060 Trace 3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> [0xfffffa80041ca520] fffffa80041ca520 Trace 5 ACPI.sys[fffff88000f867a1] -> nt!IofCallDriver -> \Device\0000006a[0xfffffa80041c99c0] fffffa80041c99c0 Trace \Driver\nvstor[0xfffffa8003699820] -> IRP_MJ_CREATE -> 0xfffffa800419c2c0 fffffa800419c2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\ayxmmh0p.SYS fffff88005239000-fffff88005285000 (311296 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x29 0x89 0x79 0xA5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA8 0x66 0x12 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0A 0x0F 0xF2 0xC3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x29 0x89 0x79 0xA5 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA8 0x66 0x12 0x0D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0A 0x0F 0xF2 0xC3 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Program Files (x86)\Happies\\x2013\x2026\x83w\x83\x201d\x83\x201c\x81`\x201a\xa8Z\x201a\x201a\x201a\x2018D\x201a\xab\x201a\x2013\x2026\x201a\x2dd\x201a\x201aƊ\x201a\xa6\x201a\x201a\xad\x201aU\x201a\x201a\x201a\xad\x201a\x83G\x0083b\x83`\x90\xb6\x88\x81`\unins000.exe 1 ---- EOF - GMER 2.1 ----