GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-04 16:04:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP5T0L0-5 SAMSUNG_HD161HJ rev.JF100-19 149,05GB Running: 7e0sscvv.exe; Driver: J:\temp\kwdiqpog.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000722a17fa 2 bytes CALL 773311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000722a1860 2 bytes CALL 773311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000722a1942 2 bytes JMP 76987089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000722a194d 2 bytes JMP 7698cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755b1401 2 bytes JMP 7735b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755b1419 2 bytes JMP 7735b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755b1431 2 bytes JMP 773d8f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755b144a 2 bytes CALL 7733489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755b14dd 2 bytes JMP 773d8822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755b14f5 2 bytes JMP 773d89f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755b150d 2 bytes JMP 773d8718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755b1525 2 bytes JMP 773d8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755b153d 2 bytes JMP 7734fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755b1555 2 bytes JMP 773568ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755b156d 2 bytes JMP 773d8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755b1585 2 bytes JMP 773d8b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755b159d 2 bytes JMP 773d86dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755b15b5 2 bytes JMP 7734fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755b15cd 2 bytes JMP 7735b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755b16b2 2 bytes JMP 773d8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1132] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755b16bd 2 bytes JMP 773d8671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000755b1401 2 bytes JMP 7735b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000755b1419 2 bytes JMP 7735b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000755b1431 2 bytes JMP 773d8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000755b144a 2 bytes CALL 7733489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755b14dd 2 bytes JMP 773d8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755b14f5 2 bytes JMP 773d89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000755b150d 2 bytes JMP 773d8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000755b1525 2 bytes JMP 773d8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000755b153d 2 bytes JMP 7734fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000755b1555 2 bytes JMP 773568ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000755b156d 2 bytes JMP 773d8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000755b1585 2 bytes JMP 773d8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000755b159d 2 bytes JMP 773d86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755b15b5 2 bytes JMP 7734fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755b15cd 2 bytes JMP 7735b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755b16b2 2 bytes JMP 773d8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755b16bd 2 bytes JMP 773d8671 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 G:\Programy\DAEMON Tools Lite x64\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x50 0x7B 0xE1 0x61 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 G:\Programy\DAEMON Tools Lite x64\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x50 0x7B 0xE1 0x61 ... ---- EOF - GMER 2.2 ----