GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-03 14:44:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0003 298,09GB Running: ljhj59uf.exe; Driver: C:\Users\Artur\AppData\Local\Temp\pgtdypow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88005499d8c 12 bytes {MOV RAX, 0xfffffa80066a22a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2236] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076b38781 4 bytes [C2, 04, 00, 00] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010ed650] \SystemRoot\System32\Drivers\spdn.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010ed5dc] \SystemRoot\System32\Drivers\spdn.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b835c] \SystemRoot\System32\Drivers\spdn.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b8224] \SystemRoot\System32\Drivers\spdn.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b8a24] \SystemRoot\System32\Drivers\spdn.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b8ba0] \SystemRoot\System32\Drivers\spdn.sys [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef717741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef7175f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef7175674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef7175e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef7177f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef7176a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef7176ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef7177b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef7177ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef71778b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef7174fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef7175d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2848] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef7177584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \Driver\a1tfv8z5 \Device\Scsi\a1tfv8z51Port1Path0Target0Lun0 fffffa800691f2c0 Device \Driver\a1tfv8z5 \Device\Scsi\a1tfv8z51 fffffa800691f2c0 Device \FileSystem\Ntfs \Ntfs fffffa80040b02c0 Device \FileSystem\fastfat \Fat fffffa800baa52c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80066b82c0 Device \Driver\cdrom \Device\CdRom0 fffffa80064572c0 Device \Driver\cdrom \Device\CdRom1 fffffa80064572c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80066b82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9E50990B-28C9-49D6-8F8F-B82C3506FAE4} fffffa80064952c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1D40BFA3-221A-4490-A6C3-F9CC9B9BB2AA} fffffa80064952c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{5615034D-B199-433C-B4E8-441637DB1653} fffffa80064952c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80066b82c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80040a42c0 Device \Driver\volmgr \Device\FtControl fffffa80040a42c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80040a42c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80040a42c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{297DFC03-47D9-4E1C-A668-FBC435AA79DF} fffffa80064952c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80040a42c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80064952c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80066b82c0 Device \Driver\a1tfv8z5 \Device\ScsiPort1 fffffa800691f2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\a1tfv8z5.SYS fffff8800554d000-fffff88005592000 (282624 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1468:2512] 000007fef1329688 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll (*** suspicious ***) @ C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [3576] (RealPlayer Chrome Browser Helper/RealNetworks, Inc.)(2011-01-04 21:23:58) 00000000648b0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\LanmanServer\Shares@[\1c\0i\0\5\1g\0n\0i\0\31\1t\0e CSCFlags=2048?MaxUses=4294967295?Path=D:\?ci?gni?te?Permissions=0?Remark=?ShareName=?ci?gni?te?Type=0? Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4B 0x67 0xC6 0x99 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x22 0xF4 0x16 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6A 0xC5 0x80 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares@[\1c\0i\0\5\1g\0n\0i\0\31\1t\0e CSCFlags=2048?MaxUses=4294967295?Path=D:\?ci?gni?te?Permissions=0?Remark=?ShareName=?ci?gni?te?Type=0? Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x94 0xEE 0xD5 0xD5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x22 0xF4 0x16 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6A 0xC5 0x80 0x87 ... Reg HKLM\SYSTEM\ControlSet003\services\LanmanServer\Shares@[\1c\0i\0\5\1g\0n\0i\0\31\1t\0e CSCFlags=2048?MaxUses=4294967295?Path=D:\?ci?gni?te?Permissions=0?Remark=?ShareName=?ci?gni?te?Type=0? Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x94 0xEE 0xD5 0xD5 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x22 0xF4 0x16 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6A 0xC5 0x80 0x87 ... ---- EOF - GMER 2.1 ----