GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-03 21:03:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.AXM0 119,24GB Running: cp3dfesc.exe; Driver: C:\Users\T420\AppData\Local\Temp\aftcraod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002e04000 27 bytes [48, 8D, 4C, 24, 20, 45, 0F, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 556 fffff80002e0401c 46 bytes {LEA ECX, [RSP+0x20]; CALL 0xfffffffffffda3f4} ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\WPM\wprotectmanager.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\ProgramData\WPM\wprotectmanager.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[1932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[1932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Freemake\CaptureLib\CaptureLibService.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Freemake\CaptureLib\CaptureLibService.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Rock Turner\updateRockTurner.exe[2996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Rock Turner\updateRockTurner.exe[2996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Rock Turner\bin\utilRockTurner.exe[3236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Rock Turner\bin\utilRockTurner.exe[3236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000743411a8 2 bytes [34, 74] .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000743413a8 2 bytes [34, 74] .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000074341422 2 bytes [34, 74] .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000074341498 2 bytes [34, 74] .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000071fc1b41 2 bytes [FC, 71] .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000071fc1be8 2 bytes [FC, 71] .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000071fc1c20 2 bytes [FC, 71] .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000071fc1cd2 2 bytes [FC, 71] .text C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe[4420] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000071fc1cf2 2 bytes [FC, 71] .text C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe[4656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe[4656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[4808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Syncios\SynciosDeviceService.exe[4808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[5792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[5792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Rock Turner\bin\RockTurner.BrowserAdapter.exe[6104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Rock Turner\bin\RockTurner.BrowserAdapter.exe[6104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[6320] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076548791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[6320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[6320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\System Update\UNCServer.exe[4236] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Lenovo\System Update\UNCServer.exe[4236] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\System Update\SUService.exe[6768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Lenovo\System Update\SUService.exe[6768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe[5744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756e1465 2 bytes [6E, 75] .text C:\Program Files (x86)\Lenovo\System Update\Tvsukernel.exe[5744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756e14bb 2 bytes [6E, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88000ed5e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88000ed5c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88000ed6614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88000ed6a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88000ed686c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atb226qa \Device\Scsi\atb226qa1 fffffa800664c2c0 Device \Driver\atb226qa \Device\Scsi\atb226qa1Port1Path0Target0Lun0 fffffa800664c2c0 Device \FileSystem\Ntfs \Ntfs fffffa80037dc2c0 Device \FileSystem\fastfat \Fat fffffa8007e632c0 Device \Driver\WudfPf \Device\WUDFLpcDevice fffff8800b3d8910 Device \Driver\WudfPf \Device\HostProcess-e7da89ab-5504-40cd-a672-9f1d6fa85f88 fffff8800b3d8910 Device \Driver\usbehci \Device\USBPDO-1 fffffa80064372c0 Device \Driver\cdrom \Device\CdRom0 fffffa80040472c0 Device \Driver\WudfPf \Device\HostProcess-60f54525-d91e-4a85-a8a3-d040c321a89d fffff8800b3d8910 Device \Driver\cdrom \Device\CdRom1 fffffa80040472c0 Device \Driver\USBSTOR -> DriverStartIo \Device\00000090 fffff8800b3be9c4 Device \Driver\USBSTOR \Device\00000090 fffffa8007ce62c0 Device \Driver\USBAAPL64 \Device\0000008f fffff8800b3ab1dc Device \Driver\WudfPf \Device\HostProcess-cba439f8-fb7d-42c7-aa2d-4bbc7952ceb9 fffff8800b3d8910 Device \Driver\usbehci \Device\USBFDO-0 fffffa80064372c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6DAF9832-A034-416E-868F-50C2F15BDDB5} fffffa80040cb2c0 Device \Driver\WUDFRd \Device\UMDFCtrlDev-87374c97-eb47-11e3-9a15-0021ccb9d13a fffff88004c483f4 Device \Driver\USBSTOR -> DriverStartIo \Device\00000091 fffff8800b3be9c4 Device \Driver\USBSTOR \Device\00000091 fffffa8007ce62c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1B4ACB66-2F12-42EA-8336-32E5F9DCB260} fffffa80040cb2c0 Device \Driver\WudfPf \Device\HostProcess-0cb4b384-bc9e-4cdc-9f87-387d2849d3b3 fffff8800b3d8910 Device \Driver\usbehci \Device\USBFDO-1 fffffa80064372c0 Device \Driver\USBAAPL64 \Device\IPOD0 fffff8800b3ab1dc Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80040cb2c0 Device \Driver\WudfPf \Device\ProcessManagement fffff8800b3d8910 Device \Driver\usbehci \Device\USBPDO-0 fffffa80064372c0 Device \Driver\atb226qa \Device\ScsiPort1 fffffa800664c2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\atb226qa.SYS fffff88004872000-fffff880048bd000 (307200 bytes) ---- Threads - GMER 2.1 ---- Thread System [4:496] fffff88005c0a210 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WPM\wprotectmanager.exe (*** suspicious ***) @ C:\ProgramData\WPM\wprotectmanager.exe [1484] (WPM Service/Cherished Technololgy LIMITED)(2 0000000000fa0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3048] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3048](2014-04-30 10:48:51) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3048](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3048](2014-04-30 10:48:51) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3048](2014-04-30 10:48:51) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [3048](201 000000006ed40000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x18 0x4F 0x1B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x26 0x68 0x1D 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x46 0xFB 0xB8 0x4E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x18 0x4F 0x1B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x26 0x68 0x1D 0xC0 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x46 0xFB 0xB8 0x4E ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----