GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-14 22:40:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006f Hitachi_ rev.JE3O 465,76GB Running: 21wskeui.exe; Driver: C:\Users\WINDOW~1\AppData\Local\Temp\fgtdqpob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000778b1465 2 bytes [8B, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778b14bb 2 bytes [8B, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2860] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000719111a8 2 bytes [91, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2860] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000719113a8 2 bytes [91, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2860] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000071911422 2 bytes [91, 71] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2860] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000071911498 2 bytes [91, 71] ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800108ee94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800108ec38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800108f654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800108fa50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800108f8ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??0exception@@QEAA@AEBV0@@Z] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!malloc] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!memcpy_s] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!?what@exception@@UEBAPEBDXZ] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??1exception@@UEAA@XZ] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBD@Z] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!realloc] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!memmove_s] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??0exception@@QEAA@XZ] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_CxxThrowException] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_callnewh] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!__CxxFrameHandler3] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_XcptFilter] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_initterm] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_amsg_exit] [111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [fffffffffffffffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_unlock] [100000000] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!__dllonexit] [400000002] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_lock] [a00000006] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_onexit] [160000000e] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!memset] [2e0000001e] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!_vsnwprintf] [5e0000003e] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!free] [be0000007e] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[msvcrt.dll!memcpy] [17e000000fe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[ntdll.dll!RtlGetNtProductType] [5fe000003fe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[ntdll.dll!VerSetConditionMask] [bfe000007fe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[ntdll.dll!RtlVirtualUnwind] [17fe00000ffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[ntdll.dll!RtlCaptureContext] [2ffe00001ffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[ntdll.dll!RtlLookupFunctionEntry] [5ffe00003ffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!GetTickCount] [0] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!LoadResource] [0] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!FindResourceW] [0] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!GetLastError] [0] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!LoadLibraryExW] [0] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!lstrlenW] [0] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!lstrcpynW] [4a5bc17400000000] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!lstrcmpiW] [200000000] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[KERNEL32.dll!DisableThreadLibraryCalls] [0] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[ole32.dll!CoTaskMemRealloc] [17ffe0000fffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[ole32.dll!CoTaskMemAlloc] [2fffe0001fffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[ole32.dll!CoTaskMemFree] [5fffe0003fffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[ole32.dll!CoUninitialize] [9fffe0007fffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[ole32.dll!CoInitializeEx] [dfffe000bfffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[SETUPAPI.dll!SetupDiDestroyDeviceInfoList] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[SETUPAPI.dll!SetupOpenInfFileW] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[SETUPAPI.dll!SetupFindFirstLineW] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[SETUPAPI.dll!SetupGetIntField] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[SETUPAPI.dll!SetupGetMultiSzFieldW] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[SETUPAPI.dll!SetupDiEnumDeviceInfo] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[SETUPAPI.dll!SetupDiOpenDevRegKey] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[SETUPAPI.dll!SetupDiGetClassDevsW] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[SETUPAPI.dll!SetupCloseInfFile] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[SETUPAPI.dll!SetupGetStringFieldW] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[USER32.dll!CharNextW] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[USER32.dll!LoadStringW] [1111111111111111] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[rtutils.dll!RouterLogDeregisterW] [15fffe0013fffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[rtutils.dll!RouterLogRegisterW] [19fffe0017fffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[rtutils.dll!RouterLogEventW] [1dfffe001bfffe] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprAdminInterfaceDelete] [0] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceDelete] [80818086808006] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceTransportRemove] [8082868086031000] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprAdminServerDisconnect] [8585454545050514] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigServerDisconnect] [5080303000000585] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprAdminServerConnect] [3827280008008080] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprAdminInterfaceCreate] [3037000700805750] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprAdminInterfaceEnum] [2000000088505030] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprAdminInterfaceGetHandle] [8080888028] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprAdminInterfaceTransportAdd] [808686868606060] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprAdminTransportCreate] [870707770707807] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigServerConnect] [700080008000008] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceCreate] [8] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceEnum] [706050403020100] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceTransportEnum] [f0e0d0c0b0a0908] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceGetHandle] [605040302010010] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceTransportAdd] [e0d0c0b0a090807] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigInterfaceTransportGetHandle] [100f] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigTransportCreate] [0] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigTransportDelete] [202010100000000] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigTransportGetHandle] [606050504040303] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigTransportGetInfo] [a0a090908080707] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[MPRAPI.dll!MprConfigBufferFree] [e0e0d0d0c0c0b0b] IAT C:\Windows\system32\svchost.exe[1000] @ C:\Windows\system32\rascfg.dll[slc.dll!SLGetWindowsInformationDWORD] [25fffe0023fffe] ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs fffffa800623b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{4DB6DBA5-0736-48E4-A9FF-711D27763FE1} fffffa80076352c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa800776a2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800776a2c0 Device \Driver\amd_sata \Device\00000070 fffffa80062352c0 Device \Driver\amd_sata \Device\RaidPort0 fffffa80062352c0 Device \Driver\cdrom \Device\CdRom0 fffffa80074862c0 Device \Driver\amd_sata \Device\0000006f fffffa80062352c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa800776c2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa800776c2c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa800776c2c0 Device \Driver\USBSTOR \Device\00000081 fffffa8008f4f2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa800776a2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800776a2c0 Device \Driver\USBSTOR \Device\00000082 fffffa8008f4f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{C30CD035-BF31-42D1-AE06-4CE3E0DDC2E2} fffffa80076352c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80076352c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa800776c2c0 Device \Driver\amd_sata \Device\ScsiPort0 fffffa80062352c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa800776c2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa800776c2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80062372c0]<< sptd.sys amd_xata.sys storport.sys hal.dll amd_sata.sys fffffa80062372c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800725b570] fffffa800725b570 Trace 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa80070c5040] fffffa80070c5040 Trace \Driver\amd_xata[0xfffffa80070aa060] -> IRP_MJ_CREATE -> 0xfffffa80062372c0 fffffa80062372c0 Trace 5 amd_xata.sys[fffff88000e46d00] -> nt!IofCallDriver -> \Device\0000006f[0xfffffa80070c1060] fffffa80070c1060 Trace \Driver\amd_sata[0xfffffa80070a9a00] -> IRP_MJ_CREATE -> 0xfffffa80062352c0 fffffa80062352c0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0d962382821 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0d962382821 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ ---- EOF - GMER 2.2 ----