GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-04 15:59:37 Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\0000006d ST2000DX rev.CC43 1863,02GB Running: gmer.exe; Driver: C:\Users\Roman\AppData\Local\Temp\uwlirpod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe[2508] C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\avformat-52.dll!av_read_packet + 463 00000000649489a7 1 byte [C0] .text C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe[2508] C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\avformat-52.dll!av_read_packet + 465 00000000649489a9 2 bytes [03, 00] .text ... * 3 .text C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe[2508] C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\avformat-52.dll!ff_nut_add_sp + 61 00000000649a10b5 4 bytes [00, 0D, 03, 00] .text C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe[2508] C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\avformat-52.dll!ff_nut_reset_ts + 598 00000000649a1386 4 bytes [D4, E4, 10, 6B] .text C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe[2508] C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\avformat-52.dll!ff_nut_reset_ts + 673 00000000649a13d1 4 bytes [20, E4, 10, 6B] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2812] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075732c52 4 bytes [C2, 04, 00, 00] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\PCIIDEX.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa80075b4470] [unknown section] IAT C:\Windows\system32\DRIVERS\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa8007591470] [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [fffffa6000820da8] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffffa6000820e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffffa6000820c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffffa6000821614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffffa6000821a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffffa600082186c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa80075ac470] [unknown section] IAT C:\Windows\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa8009aef470] [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\winlogon.exe[232] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [55580002700] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[232] @ C:\Windows\system32\uxtheme.dll[ADVAPI32.dll!CryptVerifySignatureW] [555800027c0] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[232] @ C:\Windows\system32\shsvcs.dll[KERNEL32.dll!ReadFile] [55580002700] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[232] @ C:\Windows\system32\shsvcs.dll[ADVAPI32.dll!CryptVerifySignatureW] [555800027c0] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1416] @ c:\windows\system32\shsvcs.dll[KERNEL32.dll!ReadFile] [55580002700] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1416] @ c:\windows\system32\shsvcs.dll[ADVAPI32.dll!CryptVerifySignatureW] [555800027c0] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1416] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [55580002700] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1416] @ C:\Windows\system32\uxtheme.dll[ADVAPI32.dll!CryptVerifySignatureW] [555800027c0] c:\windows\system32\uxtuneup.dll ---- Devices - GMER 2.1 ---- Device \Driver\adhi2o85 \Device\Scsi\adhi2o851 fffffa8009be82c0 Device \Driver\adhi2o85 \Device\Scsi\adhi2o851Port4Path0Target0Lun0 fffffa8009be82c0 Device \FileSystem\Ntfs \Ntfs fffffa800673b2c0 Device \Driver\usbohci \Device\USBPDO-5 fffffa80099fd2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8009ae92c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8009ae92c0 Device \Driver\amd_sata \Device\00000070 fffffa80066f72c0 Device \Driver\amd_sata \Device\RaidPort0 fffffa80066f72c0 Device \Driver\cdrom \Device\CdRom0 fffffa80096e72c0 Device \Driver\iScsiPrt \Device\RaidPort1 fffffa8009bea2c0 Device \Driver\cdrom \Device\CdRom1 fffffa80096e72c0 Device \Driver\amd_sata \Device\0000006f fffffa80066f72c0 Device \Driver\usbehci \Device\USBPDO-6 fffffa8009ae92c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa80099fd2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80099fd2c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa80099fd2c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa80099fd2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8009ae92c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8009ae92c0 Device \Driver\amd_sata \Device\0000006d fffffa80066f72c0 Device \Driver\netbt \Device\NetBt_Wins_Export fffffa800a3652c0 Device \Driver\usbehci \Device\USBFDO-6 fffffa8009ae92c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80099fd2c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa80099fd2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80099fd2c0 Device \Driver\netbt \Device\NetBT_Tcpip_{6BE80719-4606-4634-ABFD-3AD0C0296002} fffffa800a3652c0 Device \Driver\amd_sata \Device\ScsiPort2 fffffa80066f72c0 Device \Driver\Smb \Device\NetbiosSmb fffffa800a2782c0 Device \Driver\iScsiPrt \Device\ScsiPort3 fffffa8009bea2c0 Device \Driver\adhi2o85 \Device\ScsiPort4 fffffa8009be82c0 Device \Driver\amd_sata \Device\0000006e fffffa80066f72c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80066f92c0]<< sptd.sys amd_xata.sys storport.sys hal.dll amd_sata.sys fffffa80066f92c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009011620] fffffa8009011620 Trace 3 CLASSPNP.SYS[fffffa60012fac33] -> nt!IofCallDriver -> [0xfffffa8007841ac0] fffffa8007841ac0 Trace \Driver\amd_xata[0xfffffa80076e2a10] -> IRP_MJ_CREATE -> 0xfffffa80066f92c0 fffffa80066f92c0 Trace 5 amd_xata.sys[fffffa6000b9fa10] -> nt!IofCallDriver -> \Device\0000006d[0xfffffa800783b060] fffffa800783b060 Trace \Driver\amd_sata[0xfffffa80077147e0] -> IRP_MJ_CREATE -> 0xfffffa80066f72c0 fffffa80066f72c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\adhi2o85.SYS fffffa6001389000-fffffa60013cc000 (274432 bytes) ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B4A73CF0-EFED-4A4B-8079-F891E891D152}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [1280] (Microsoft Malware Protection Engine/Microsoft Corporation)(2015-02-03 11:00:17) 000007fefa440000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [3852] (GG drive overlay/GG Network S.A.)(2012-11-04 15:01:43) 000000005c080000 Library C:\Users\Roman\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [3852] (GG drive menu/GG Network S.A.)(201 000000005ff80000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [1516] (GG drive overlay/GG Network S.A.)(2012-11-04 15:01:43) 000000005c080000 Library C:\Users\Roman\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\Ontology.dll (*** suspicious ***) @ C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [4476] (Application Ontology library/NVIDIA Corporation)(2015-01-27 14:06:08) 0000000070cb0000 Library C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01_64.key (*** suspicious ***) @ C:\Program Files\Windows Media Player\wmpnetwk.exe [1796] (Individualized Black Box DLL/Microsoft Corporation)(2012-12-29 15:15:40) 000000000ac00000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x43 0xF1 0xE5 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0B 0x87 0x64 0x71 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x20 0x5A 0x8E 0x57 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x18 0x74 0x05 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x86 0xAA 0x6B 0xD9 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x3E 0x24 0x69 0x58 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x43 0xF1 0xE5 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0B 0x87 0x64 0x71 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x20 0x5A 0x8E 0x57 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x18 0x74 0x05 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x43 0xF1 0xE5 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0B 0x87 0x64 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x20 0x5A 0x8E 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x18 0x74 0x05 0x00 ... ---- Files - GMER 2.1 ---- File C:\Users\Roman\AppData\Local\Mozilla\Firefox\Profiles\7hd6vir9.default\cache2\entries\254991FDABBC93B700A2B65A7C917A653A0253E6 900 bytes File C:\Windows\Temp\NOD7D25.tmp 0 bytes File C:\Windows\Temp\NODA445.tmp 0 bytes ---- EOF - GMER 2.1 ----