GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-14 14:20:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST31000524AS rev.JC4B 931,51GB Running: 1kmo6ozy.exe; Driver: C:\Users\Maciek\AppData\Local\Temp\kgldqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\rundll32.exe[1840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Windows\SysWOW64\rundll32.exe[1840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2064] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000775a87c9 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2064] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2064] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2340] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000711d1a22 2 bytes [1D, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2340] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000711d1ad0 2 bytes [1D, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2340] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000711d1b08 2 bytes [1D, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2340] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000711d1bba 2 bytes [1D, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2340] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000711d1bda 2 bytes [1D, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2340] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000764a1bb2 5 bytes JMP 000000010009f046 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c11465 2 bytes [C1, 75] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c114bb 2 bytes [C1, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800104be94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800104bc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800104c614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800104ca10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800104c86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef2c4741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef2c45f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef2c45674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef2c45e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef2c47f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef2c46a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef2c46ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef2c47b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef2c47ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef2c478b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef2c44fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef2c45d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2444] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef2c47584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800542f2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800542f2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800542f2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa800542f2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa800542f2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa800542f2c0 Device \FileSystem\Ntfs \Ntfs fffffa80054342c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa8006d6f2c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa8006d6d2c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa8006d6d2c0 Device \Driver\USBSTOR \Device\00000084 fffffa800687f2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80063732c0 Device \Driver\usbohci \Device\USBPDO-6 fffffa8006d6d2c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa8006d6d2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8006d6d2c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa8006d6f2c0 Device \Driver\USBSTOR \Device\00000085 fffffa800687f2c0 Device \Driver\USBSTOR \Device\00000081 fffffa800687f2c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa8006d6f2c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa8006d6d2c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa8006d6d2c0 Device \Driver\USBSTOR \Device\00000082 fffffa800687f2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800696b2c0 Device \Driver\usbohci \Device\USBFDO-6 fffffa8006d6d2c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa8006d6d2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800542f2c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8006d6f2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8006d6d2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800542f2c0 Device \Driver\USBSTOR \Device\00000083 fffffa800687f2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa800542f2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa800542f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{26928AE9-9C55-4DC9-A7D0-86F5C6466E18} fffffa800696b2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800542f2c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa800542f2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006362060] fffffa8006362060 Trace 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa8005ed79b0] fffffa8005ed79b0 Trace 5 ACPI.sys[fffff880011727a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8006363060] fffffa8006363060 Trace \Driver\atapi[0xfffffa800545d800] -> IRP_MJ_CREATE -> 0xfffffa800542f2c0 fffffa800542f2c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\rundll32.exe [1840:2672] 000000007ed2bd60 Thread C:\Windows\SysWOW64\rundll32.exe [1840:4748] 000000007ed8caf0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x87 0x27 0x55 0x1C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xAA 0xE8 0x4C 0x81 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDF 0x25 0x6C 0x70 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5A 0x29 0x44 0xA3 ... ---- Files - GMER 2.1 ---- File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\AE0A5B5737893295C4110EA57FC767CEBD06890F 2163 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\52404A70AF7E231463E334768569A3BABE1E5D4B 52087 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\B2126BE225A71045119B06DED58E2C272EBD1E10 30589 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\957AD0D241B9F85687A63F451009B88D0692C6D4 254587 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\38F6F63ED637D1260859E3A28C032D0DA59524B1 7409 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\C0BC5D38FEF10081CCC2FDDC9706622478DD4F8F 36158 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\75159FC72F157207DC1818A2338A6B3CEDBB381B 15546 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\D3249E540B82E3BC62566C96C5DB5846652A8B00 732 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\5B85F6083FE2E9769A6B1D96AE37429A0DF073B2 33019 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\AFACEF68A35361E90C8818913A6D861259566934 22435 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\E8FA835B03F1D73F73537953EC43278DC1DCE198 1251 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\1ACDFAD85C78CAC98713D41200649E2A82BB74B8 733 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\00BD47B5764BA9627F12B00F308C34278417C009 1347 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\1FA6CDFB9B5CAF778CFECAB08D0661277DF5B22D 29796 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\BE89FADAED71F1E3A812B35FDF88FB069F8EC33C 109 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\A80968AEF9E2C21F912F78A8E52AEC78EF75B0B7 20859 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\C3C7B4BD4467D26BA1F98D7F5B3821697440A1B8 14470 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\BF126F829437D48A6FA2AB5519F05EC2FA414A83 8354 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\D4703E87CD3B563B039BCB6D89A0BA8919D4F42E 176694 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\56F1FB65C3CA89CD13FF55914970488470C7DB67 15832 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\1447D95D72196A18EB463C957C90C96CC0F1004C 1736 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\C9A4DD9F58A582A2ACBD495E73A7C29A56F3704E 908 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\0751EA448C7570347E8BDC387C39736C159CF171 14874 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\CF0E8F9ED630437724DD71E4485F199F3A3A2E9A 1721 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\AE86EBB46191EBAA3344376A450F0CCD4E1B4968 68918 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\8E7207F372BBA5F49D3FA16FBF208A4434CFDB11 1683 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\B90076E5F15A0CC51714BB4F81134B021871EA00 25067 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\2A7D5147D5A8D18D5A35AEF0B473FBA14BC02A48 11770 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\852AB8241885E490E010F0DE0F57947EF28F1A9A 0 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\8FE2B018438FE1BDD3B2744114753D15BB9E9DA8 786 bytes File C:\Users\Maciek\AppData\Local\Mozilla\Firefox\Profiles\djxtx918.default\cache2\entries\E169770312289AD59CF1F27E2B667C36954D03E6 50016 bytes ---- EOF - GMER 2.1 ----