GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-26 01:52:15 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298,09GB Running: 1t3get9j.exe; Driver: C:\Users\win7\AppData\Local\Temp\fxrcyaod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff800031a6000 45 bytes [00, 00, 10, 02, 4D, 6D, 43, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 495 fffff800031a602f 16 bytes [00, 01, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880042cfd8c 12 bytes {MOV RAX, 0xfffffa80044932a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d11465 2 bytes [D1, 76] .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d114bb 2 bytes [D1, 76] .text ... * 2 .text C:\Program Files (x86)\XTab\HPNotify.exe[3648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d11465 2 bytes [D1, 76] .text C:\Program Files (x86)\XTab\HPNotify.exe[3648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d114bb 2 bytes [D1, 76] .text ... * 2 .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d11465 2 bytes [D1, 76] .text C:\Program Files (x86)\TeamViewer\TeamViewer.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d114bb 2 bytes [D1, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d11465 2 bytes [D1, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d114bb 2 bytes [D1, 76] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5020] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000072af11a8 2 bytes [AF, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5020] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000072af13a8 2 bytes [AF, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5020] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000072af1422 2 bytes [AF, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5020] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000072af1498 2 bytes [AF, 72] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076d11465 2 bytes [D1, 76] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076d114bb 2 bytes [D1, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001088f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001088cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800108969c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001089a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010898f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa800248f2c0 Device \FileSystem\fastfat \Fat fffffa80062432c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{E96BD250-0B56-43DB-B603-586D8A77CE07} fffffa800432b2c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa80044912c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa80044d82c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa80044d82c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80044d82c0 Device \Driver\cdrom \Device\CdRom0 fffffa80043082c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1CC67640-251C-49F3-99CB-4DD8D67F697B} fffffa800432b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{DDD6EA87-76DE-4177-956E-72274D28EFB3} fffffa800432b2c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa80044d82c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa80044d82c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80044d82c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa80044912c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa80044912c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa80044d82c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa80044d82c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80044d82c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800432b2c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa80044d82c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa80044d82c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa80044912c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80044d82c0 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1724] (Windows SysTool Service/SysTool PasSame LIMITED)(2015-01-25 22:24:55) 0000000000cb0000 Process C:\ProgramData\DatacardService\HWDeviceService64.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\HWDeviceService64.exe [2068](2010-11-16 13:38:16) 000000013f130000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [2252] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2010-11-16 13:37:30) 0000000000400000 Process C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe (*** suspicious ***) @ C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe [2504](2013-02-06 07:03:28) 0000000000400000 Library C:\ProgramData\Multimedia mobilNET\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe [2504](2013-02-06 07:03:28) 000000006fbc0000 Library C:\ProgramData\Multimedia mobilNET\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe [2504](2013-02-06 07:03:28) 000000006e940000 Library C:\ProgramData\Multimedia mobilNET\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe [2504](2013-02-06 07:03:28) 000000006a1c0000 Library C:\ProgramData\Multimedia mobilNET\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Multimedia mobilNET\OnlineUpdate\ouc.exe [2504](2013-02-06 07:03:28) 000000006ff00000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFB 0xC7 0x03 0x13 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFB 0xC7 0x03 0x13 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ ---- EOF - GMER 2.1 ----