GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-04 18:40:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 SAMSUNG_HD502HI rev.1AG01118 465,76GB Running: gmer.exe; Driver: C:\Users\Adrian\AppData\Local\Temp\uxldrpod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88003b72d8c 12 bytes {MOV RAX, 0xfffffa8002cf02a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.212\deploy\LoLLauncher.exe[3092] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075968769 5 bytes [33, C0, C2, 04, 00] .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.99\deploy\LolClient.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075b01465 2 bytes [B0, 75] .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.99\deploy\LolClient.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075b014bb 2 bytes [B0, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b8f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b8cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b969c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b9a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b98f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800187f2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800187f2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800187f2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa800187f2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 fffffa800187f2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa800187f2c0 Device \FileSystem\Ntfs \Ntfs fffffa80018832c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8002d0e2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8002d0e2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8002bce2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8002d222c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa8002d222c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8002d0e2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8002d0e2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8002c802c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800187f2c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa8002d222c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{125C4FAF-8776-4E90-A306-1BB7AC348470} fffffa8002c802c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8002d222c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800187f2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa800187f2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa800187f2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800187f2c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa800187f2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8002680460] fffffa8002680460 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa8002386520] fffffa8002386520 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0xfffffa800256c680] fffffa800256c680 Trace \Driver\atapi[0xfffffa8002319060] -> IRP_MJ_CREATE -> 0xfffffa800187f2c0 fffffa800187f2c0 ---- Threads - GMER 2.1 ---- Thread [396:432] 000007fefd291f00 Thread [396:436] 000007fefd291c90 Thread [396:440] 000007fefd2f4be4 Thread [396:444] 000007fefd2f3ff0 Thread [396:472] 000007fefd2f4be4 Thread [396:496] 000007fefd293710 Thread [396:500] 000007fefd293710 Thread [396:588] 000007fefd293710 Thread [396:1792] 000007fefd2f4be4 Thread [464:504] 000007fefd291f00 Thread [464:508] 000007fefd291c90 Thread [464:512] 000007fefd2f4be4 Thread [464:516] 000007fefd2f3ff0 Thread [464:528] 000007fefd2f4be4 Thread [464:576] 000007fefd293710 Thread [464:580] 000007fefd293710 Thread [464:2044] 000007fefd2f4be4 Thread [464:2156] 000007fefd2f4be4 Thread C:\Windows\System32\svchost.exe [888:1116] 000007fefa775428 Thread C:\Windows\System32\svchost.exe [888:3232] 000007fef4946b8c Thread C:\Windows\System32\svchost.exe [888:3240] 000007fef4941d88 Thread C:\Windows\System32\svchost.exe [928:392] 000007fefb24331c Thread C:\Windows\System32\svchost.exe [928:1088] 000007fefa892d7c Thread C:\Windows\System32\svchost.exe [928:1516] 000007fef3db20c0 Thread C:\Windows\System32\svchost.exe [928:1508] 000007fef3db26a8 Thread C:\Windows\System32\svchost.exe [928:2164] 000007fef3db29dc Thread C:\Windows\System32\svchost.exe [928:2604] 000007fef58144e0 Thread C:\Windows\System32\svchost.exe [928:704] 000007fef72988f8 Thread C:\Windows\system32\svchost.exe [1104:1132] 000007fefa74341c Thread C:\Windows\system32\svchost.exe [1104:1140] 000007fefa743a2c Thread C:\Windows\system32\svchost.exe [1104:1144] 000007fefa743768 Thread C:\Windows\system32\svchost.exe [1104:1148] 000007fefa745c20 Thread C:\Windows\system32\svchost.exe [1104:1460] 000007fef99dbd88 Thread C:\Windows\system32\svchost.exe [1104:2576] 000007fef4e55170 Thread C:\Windows\system32\svchost.exe [1104:2900] 000007fefa743900 Thread C:\Windows\system32\svchost.exe [1104:1692] 000007fef9605124 Thread C:\Windows\System32\spoolsv.exe [1196:1696] 000007fef78b10c8 Thread C:\Windows\System32\spoolsv.exe [1196:1704] 000007fef7876144 Thread C:\Windows\System32\spoolsv.exe [1196:1708] 000007fef7665fd0 Thread C:\Windows\System32\spoolsv.exe [1196:1712] 000007fef7653438 Thread C:\Windows\System32\spoolsv.exe [1196:1716] 000007fef76663ec Thread C:\Windows\System32\spoolsv.exe [1196:1724] 000007fef7c65e5c Thread C:\Windows\System32\spoolsv.exe [1196:1728] 000007fef7c95074 Thread C:\Windows\system32\svchost.exe [1240:1424] 000007fef9e735c0 Thread C:\Windows\system32\svchost.exe [1240:2704] 000007fef9e75600 Thread C:\Windows\system32\svchost.exe [1240:2744] 000007fef4052940 Thread C:\Windows\system32\svchost.exe [1240:2748] 000007fef4032888 Thread C:\Windows\system32\svchost.exe [1240:2968] 000007fef4032a40 Thread C:\Windows\system32\taskhost.exe [1572:1636] 000007fef95a2740 Thread C:\Windows\system32\taskhost.exe [1572:1684] 000007fefa4c1010 Thread C:\Windows\system32\taskhost.exe [1572:1688] 000007fef79d1f38 Thread C:\Windows\Explorer.EXE [1660:2832] 000007fefe226b7c Thread C:\Windows\Explorer.EXE [1660:880] 000007fef1222118 Thread C:\Windows\Explorer.EXE [1660:3688] 000007fef284a3f8 Thread C:\Windows\System32\svchost.exe [2140:2032] 000007fef35c9688 Thread C:\Windows\system32\svchost.exe [2548:560] 000007fef4908470 Thread C:\Windows\system32\svchost.exe [2548:1748] 000007fef4912418 Thread C:\Windows\system32\svchost.exe [2548:3204] 000007feef99f130 Thread C:\Windows\system32\svchost.exe [2548:3224] 000007feef994734 Thread C:\Windows\system32\svchost.exe [2548:3648] 000007feef994734 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2040:3112] 000007fefb682a7c ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3531A543-B57D-3BC6-DCA3-B9E41B275812} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3531A543-B57D-3BC6-DCA3-B9E41B275812}@maildnacpdpeldolcojpcadfnp 0x6F 0x61 0x62 0x65 ... ---- EOF - GMER 2.1 ----