GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-05 17:26:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 OCZ-VERTEX4 rev.1.5 119,24GB Running: 4v4noc3g.exe; Driver: D:\Temp\Temp\pwdoypoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000133f00 7 bytes [00, 98, F3, FF, 01, A6, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000133f08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1640] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072671a22 2 bytes [67, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1640] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072671ad0 2 bytes [67, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1640] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072671b08 2 bytes [67, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1640] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072671bba 2 bytes [67, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1640] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072671bda 2 bytes [67, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Updater\Updater.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075901465 2 bytes [90, 75] .text C:\Program Files (x86)\Skype\Updater\Updater.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759014bb 2 bytes [90, 75] .text ... * 2 .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[3020] C:\Windows\SYSTEM32\ntdll.dll!DbgBreakPoint 00000000773e0590 3 bytes [8B, 40, 30] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{DE20147D-2D91-4BA4-85ED-87D767751C48}\Connection@Name isatap.{C23B49E8-EEC8-49C4-AA4D-5F9569974212} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{DE20147D-2D91-4BA4-85ED-87D767751C48}?\Device\{98F651CF-309D-48EA-8445-A26D6FCD4B49}?\Device\{7C95C038-990C-45D0-8521-9C7BD91B0C81}?\Device\{D0B82027-9B88-4BCD-9253-4A049575ABBE}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{DE20147D-2D91-4BA4-85ED-87D767751C48}"?"{98F651CF-309D-48EA-8445-A26D6FCD4B49}"?"{7C95C038-990C-45D0-8521-9C7BD91B0C81}"?"{D0B82027-9B88-4BCD-9253-4A049575ABBE}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{DE20147D-2D91-4BA4-85ED-87D767751C48}?\Device\TCPIP6TUNNEL_{98F651CF-309D-48EA-8445-A26D6FCD4B49}?\Device\TCPIP6TUNNEL_{7C95C038-990C-45D0-8521-9C7BD91B0C81}?\Device\TCPIP6TUNNEL_{D0B82027-9B88-4BCD-9253-4A049575ABBE}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{DE20147D-2D91-4BA4-85ED-87D767751C48}@InterfaceName isatap.{C23B49E8-EEC8-49C4-AA4D-5F9569974212} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{DE20147D-2D91-4BA4-85ED-87D767751C48}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 3518 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4D 0x7A 0xDA 0xF4 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4D 0x7A 0xDA 0xF4 ... ---- EOF - GMER 2.1 ----