GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-03 00:05:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1CH162 rev.CC47 931,51GB Running: zl91lt9i.exe; Driver: C:\Users\Milosz\AppData\Local\Temp\ugrdrpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003dc0000 52 bytes [FF, FF, FF, FF, FF, FF, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 582 fffff80003dc0036 27 bytes [FF, FF, FF, FF, FF, FF, FF, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1636] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076998791 4 bytes [C2, 04, 00, 00] .text C:\Program Files (x86)\AntiLogger\AntiLogger.exe[3408] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 00000000769934b1 4 bytes {CALL 0xffffffff89f26f30} .text C:\Program Files (x86)\AntiLogger\AntiLogger.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000760c1465 2 bytes [0C, 76] .text C:\Program Files (x86)\AntiLogger\AntiLogger.exe[3408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760c14bb 2 bytes [0C, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4868] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000760c1465 2 bytes [0C, 76] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4868] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000760c14bb 2 bytes [0C, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010d6e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010d6c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010d7614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010d7a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010d786c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef85a741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef85a5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef85a5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef85a5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef85a7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef85a6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef85a6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef85a7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef85a7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef85a78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef85a4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef85a5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2292] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef85a7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800398a2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800398a2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800398a2c0 Device \Driver\avqakhkt \Device\Scsi\avqakhkt1Port3Path0Target0Lun0 fffffa80053412c0 Device \Driver\avqakhkt \Device\Scsi\avqakhkt1 fffffa80053412c0 Device \FileSystem\Ntfs \Ntfs fffffa80039942c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80052992c0 Device \Driver\usbohci \Device\USBPDO-5 fffffa800526c2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80052992c0 Device \Driver\amd_sata \Device\RaidPort0 fffffa800398e2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800592c2c0 Device \Driver\cdrom \Device\CdRom1 fffffa800592c2c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa800526c2c0 Device \Driver\usbehci \Device\USBPDO-6 fffffa80052992c0 Device \Driver\dtsoftbus01 \Device\00000075 fffffa8004c512c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa800526c2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa800526c2c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8004c512c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa800526c2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80052992c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80052992c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004cb82c0 Device \Driver\usbehci \Device\USBFDO-6 fffffa80052992c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800398a2c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa800526c2c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa800526c2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800398a2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa800526c2c0 Device \Driver\amd_sata \Device\ScsiPort2 fffffa800398e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9FE891B3-8212-4F7F-8BB2-09103A011424} fffffa8004cb82c0 Device \Driver\avqakhkt \Device\ScsiPort3 fffffa80053412c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800398a2c0]<< sptd.sys ataport.SYS pciide.sys fffffa800398a2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a66060] fffffa8004a66060 Trace 3 CLASSPNP.SYS[fffff88001b4943f] -> nt!IofCallDriver -> [0xfffffa8003ae8670] fffffa8003ae8670 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8003aee060] fffffa8003aee060 Trace \Driver\atapi[0xfffffa8003ae7060] -> IRP_MJ_CREATE -> 0xfffffa800398a2c0 fffffa800398a2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\avqakhkt.SYS fffff880076b0000-fffff88007701000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\services.exe [584:748] 000007fefc8c94c4 Thread C:\Windows\System32\spoolsv.exe [1360:1164] 000007fef8ec10c8 Thread C:\Windows\System32\spoolsv.exe [1360:1192] 000007fef8e86144 Thread C:\Windows\System32\spoolsv.exe [1360:1260] 000007fef8c75fd0 Thread C:\Windows\System32\spoolsv.exe [1360:1280] 000007fef8c63438 Thread C:\Windows\System32\spoolsv.exe [1360:1284] 000007fef8c763ec Thread C:\Windows\System32\spoolsv.exe [1360:1416] 000007fef94d5e5c Thread C:\Windows\System32\spoolsv.exe [1360:444] 000007fef9165074 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x85 0xE8 0xDF 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x55 0x13 0xBF 0x05 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x74 0x81 0x19 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x59 0xDA 0x69 0xED ... Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x85 0xE8 0xDF 0x4D ... Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x55 0x13 0xBF 0x05 ... Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x74 0x81 0x19 0x8A ... Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x59 0xDA 0x69 0xED ... ---- EOF - GMER 2.1 ----