GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-29 21:03:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Samsung_ rev.DXM0 119,24GB Running: 3m9pxj78.exe; Driver: E:\TEMPMA~1\pgldapob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88007228d64 12 bytes {MOV RAX, 0xfffffa80105892a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2336] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077221465 2 bytes [22, 77] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2336] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000772214bb 2 bytes [22, 77] .text ... * 2 .text C:\Windows\SysWOW64\ntdll.dll[2552] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007726faa8 5 bytes JMP 000000016de719b0 .text C:\Windows\SysWOW64\ntdll.dll[2552] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077270038 5 bytes JMP 000000016de72066 .text C:\Program Files (x86)\CodeTwo\Outlook Sync\C2OutlookSync.exe[3596] C:\Program Files (x86)\Common Files\SYSTEM\MSMAPI\1045\MSMAPI32.DLL!HrDispatchNotifications@4 + 112 0000000069c61b80 4 bytes [AE, B1, 65, DE] ? C:\Windows\system32\mssprxy.dll [3596] entry point in ".rdata" section 00000000691671e6 .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[2836] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000751987b1 5 bytes JMP 0000000165ac50b8 .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[2836] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076b36143 5 bytes JMP 000000016658e11a .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[2836] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075053e59 5 bytes JMP 0000000165af1b8f .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[2836] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075053eae 5 bytes JMP 0000000165afc68a .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[2836] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075054731 5 bytes JMP 0000000165affac2 .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[2836] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075055dee 5 bytes JMP 0000000165afff84 ? C:\Windows\system32\mssprxy.dll [2836] entry point in ".rdata" section 00000000691671e6 .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[2836] C:\Program Files (x86)\Common Files\SYSTEM\MSMAPI\1045\MSMAPI32.DLL!HrDispatchNotifications@4 + 112 0000000069c61b80 4 bytes [2F, D6, E3, 8F] .text C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE[2836] C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\OGL.DLL!GdipDeleteGraphics + 571 000000005e630b54 4 bytes [70, 09, 22, 8F] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001052f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001052cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800105369c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001053a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010538f4] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88002772d18] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa800d3e82c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa801058b2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80100512c0 Device \Driver\cdrom \Device\CdRom1 fffffa80100512c0 Device \Driver\USBSTOR \Device\000000a0 fffffa800d5362c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa801058b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{5E9E0A49-E723-4699-B2F9-C83DA4292748} fffffa80102082c0 Device \Driver\USBSTOR \Device\000000a1 fffffa800d5362c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa801058b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A6DCB838-A97D-4DEA-AEFE-4B0366F2CC2B} fffffa80102082c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80102082c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa801058b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B5BCCFCF-899A-48A7-BAC6-5BE229FFEC7A} fffffa80102082c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\ntdll.dll [2552:2556] 000000000106301f Thread C:\Windows\SysWOW64\ntdll.dll [2552:1152] 00000000727340f0 Thread C:\Windows\SysWOW64\ntdll.dll [2552:4376] 0000000069131120 Thread C:\Windows\SysWOW64\ntdll.dll [2552:4960] 0000000068663821 Thread C:\Windows\SysWOW64\ntdll.dll [2552:4964] 0000000068663821 Thread C:\Windows\SysWOW64\ntdll.dll [2552:5076] 0000000065719420 Thread C:\Windows\SysWOW64\ntdll.dll [2552:6080] 000000006463b230 Thread C:\Windows\SysWOW64\ntdll.dll [2552:6120] 000000006454fe30 Thread C:\Windows\SysWOW64\ntdll.dll [2552:6136] 000000006b183840 Thread C:\Windows\SysWOW64\ntdll.dll [2552:6140] 000000006b1834b0 Thread C:\Windows\SysWOW64\ntdll.dll [2552:5400] 000000006b183840 Thread C:\Windows\SysWOW64\ntdll.dll [2552:5416] 000000006b1834b0 Thread C:\Windows\SysWOW64\ntdll.dll [2552:5424] 0000000068663821 Thread C:\Windows\SysWOW64\ntdll.dll [2552:5408] 000000005ddcc6a3 Thread C:\Windows\SysWOW64\ntdll.dll [2552:5584] 000000005ddcc6a3 Thread C:\Windows\SysWOW64\ntdll.dll [2552:5648] 000000005dc7a950 Thread C:\Windows\SysWOW64\ntdll.dll [2552:5632] 000000005dc5d570 Thread C:\Windows\SysWOW64\ntdll.dll [2552:4348] 000000006ce562ee Thread C:\Windows\SysWOW64\ntdll.dll [2552:3704] 000000007709c520 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3856:4204] 000007fefbeb2a7c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0015833d0a57@a0f4196d71bf 0xC8 0x9C 0x06 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{ABF34D06-2F66-4812-90D7-3930B7BA030E}\Connection@Name isatap.{A6DCB838-A97D-4DEA-AEFE-4B0366F2CC2B} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{38493B65-FA14-4E12-A0E3-DD436CDC4CBD}?\Device\{ABF34D06-2F66-4812-90D7-3930B7BA030E}?\Device\{CB966670-EDA0-4002-A9E1-0477245DD892}?\Device\{6AEE44A1-300A-4322-9907-452F0250EE70}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{38493B65-FA14-4E12-A0E3-DD436CDC4CBD}"?"{ABF34D06-2F66-4812-90D7-3930B7BA030E}"?"{CB966670-EDA0-4002-A9E1-0477245DD892}"?"{6AEE44A1-300A-4322-9907-452F0250EE70}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{38493B65-FA14-4E12-A0E3-DD436CDC4CBD}?\Device\TCPIP6TUNNEL_{ABF34D06-2F66-4812-90D7-3930B7BA030E}?\Device\TCPIP6TUNNEL_{CB966670-EDA0-4002-A9E1-0477245DD892}?\Device\TCPIP6TUNNEL_{6AEE44A1-300A-4322-9907-452F0250EE70}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57@a0f4196d71bf 0xC8 0x9C 0x06 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{ABF34D06-2F66-4812-90D7-3930B7BA030E}@InterfaceName isatap.{A6DCB838-A97D-4DEA-AEFE-4B0366F2CC2B} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{ABF34D06-2F66-4812-90D7-3930B7BA030E}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 2581 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 543 Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0015833d0a57@a0f4196d71bf 0xC8 0x9C 0x06 0x0B ... ---- EOF - GMER 2.1 ----