GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-11 16:20:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BEKT-22KA9T0 rev.01.01A01 465,76GB Running: nkcbdd5g.exe; Driver: C:\Users\alex\AppData\Local\Temp\aftcqaod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800041bb000 45 bytes [43, 4D, 33, 31, 05, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff800041bb02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff88000de74a0 12 bytes {MOV RAX, 0xfffffa800398a2a0; JMP RAX} .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88007028d64 12 bytes {MOV RAX, 0xfffffa8004d662a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075671465 2 bytes [67, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756714bb 2 bytes [67, 75] .text ... * 2 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1744] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075a387b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1744] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075671465 2 bytes [67, 75] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1744] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000756714bb 2 bytes [67, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075671465 2 bytes [67, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1900] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000756714bb 2 bytes [67, 75] .text ... * 2 .text C:\Program Files\OO Software\Defrag\oodag.exe[1040] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077489b80 13 bytes {MOV R11, 0x140002d80; JMP R11} .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2216] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075671465 2 bytes [67, 75] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2216] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000756714bb 2 bytes [67, 75] .text ... * 2 .text C:\Program Files (x86)\Clarus\Samsung Drive Manager\SZDrvSvc.exe[2316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075671465 2 bytes [67, 75] .text C:\Program Files (x86)\Clarus\Samsung Drive Manager\SZDrvSvc.exe[2316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756714bb 2 bytes [67, 75] .text ... * 2 .text C:\Program Files (x86)\Clarus\Samsung Drive Manager\ABRTMon.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075671465 2 bytes [67, 75] .text C:\Program Files (x86)\Clarus\Samsung Drive Manager\ABRTMon.exe[3652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756714bb 2 bytes [67, 75] .text ... * 2 .text C:\Users\alex\AppData\Roaming\Dropbox\bin\Dropbox.exe[3736] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075671465 2 bytes [67, 75] .text C:\Users\alex\AppData\Roaming\Dropbox\bin\Dropbox.exe[3736] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000756714bb 2 bytes [67, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075671465 2 bytes [67, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756714bb 2 bytes [67, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001077f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001077cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107869c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001078a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010788f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80039a72c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80039a72c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80039a72c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80039a72c0 Device \FileSystem\Ntfs \Ntfs fffffa80039af2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{3B4002A4-6818-4AB8-B1C2-9FA4C614123A} fffffa8004d942c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004d682c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004e4c2c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004e4c2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8004d682c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8004c4d2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{EC652FC8-E38F-4AA5-9EAA-C7A4C18A32FF} fffffa8004d942c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004d682c0 Device \Driver\dtsoftbus01 \Device\0000007d fffffa8004c4d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004d942c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80039a72c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8004d682c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80039a72c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80039a72c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80039a72c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b1b060] fffffa8004b1b060 Trace 3 CLASSPNP.SYS[fffff88001ab143f] -> nt!IofCallDriver -> [0xfffffa80047f7e40] fffffa80047f7e40 Trace 5 ACPI.sys[fffff88000f2a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80047f4060] fffffa80047f4060 Trace \Driver\atapi[0xfffffa80047b9260] -> IRP_MJ_CREATE -> 0xfffffa80039a72c0 fffffa80039a72c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3808:924] 000007fef1fa9688 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Mobile Partner\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1988](2013-03-20 17:38:10) 000000006fbc0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1988](2013-03-20 17:38:10) 000000006e940000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1988](2013-03-20 17:38:10) 000000006a1c0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1988](2013-03-20 17:38:10) 000000006ff00000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1988](2013-03-20 17:38:10) 000000006efc0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [1988](2013-03-20 17:38:10) 000000006ed40000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2080] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2080](2013-03-20 16:54:16) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2080](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2080](2013-03-20 16:54:16) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2080](2013-03-20 16:54:16) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2080](201 000000006ed40000 Library C:\Users\alex\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\alex\AppData\Roaming\Dropbox\bin\Dropbox.exe [3736](2014-09-13 00:20:58) 0000000003f00000 Library c:\users\alex\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpnbekdg.dll (*** suspicious ***) @ C:\Users\alex\AppData\Roaming\Dropbox\bin\Dropbox.exe [3736](2014-11-11 11:50:05) 00000000024d0000 Library C:\Users\alex\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\alex\AppData\Roaming\Dropbox\bin\Dropbox.exe [3736](2013-08-23 19:01:44) 000000006c860000 Library C:\Users\alex\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\alex\AppData\Roaming\Dropbox\bin\Dropbox.exe [3736] (ICU Data DLL/The ICU Project)(2013-08-23 19:01:42) 000000006a540000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dddc6d3 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dddc6d3@c0cb38e1bd00 0x1E 0xF5 0x82 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dddc6d3@0024834f37c6 0x47 0xB2 0x43 0x08 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dddc6d3@2013e0bf4628 0xF2 0xA2 0xA7 0x5C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dddc6d3@0015a07bb9e1 0x99 0x2C 0xAE 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dddc6d3@000d18000001 0x29 0xF2 0xDE 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x99 0x3B 0x9B 0x30 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 J:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x35 0x3A 0xC3 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDF 0x1F 0x9B 0x77 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dddc6d3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dddc6d3@c0cb38e1bd00 0x1E 0xF5 0x82 0xD0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dddc6d3@0024834f37c6 0x47 0xB2 0x43 0x08 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dddc6d3@2013e0bf4628 0xF2 0xA2 0xA7 0x5C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dddc6d3@0015a07bb9e1 0x99 0x2C 0xAE 0x5B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dddc6d3@000d18000001 0x29 0xF2 0xDE 0x03 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x99 0x3B 0x9B 0x30 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 J:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x35 0x3A 0xC3 0x04 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDF 0x1F 0x9B 0x77 ... ---- EOF - GMER 2.1 ----