GMER 2.1.19355 - http://www.gmer.net Rootkit scan 2014-01-27 15:46:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000063 WDC_WD10 rev.01.0 931,51GB Running: 11neqpk6.exe; Driver: C:\Users\pc\AppData\Local\Temp\uglcraoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002dbd000 63 bytes [00, 00, 13, 02, 4D, 49, 63, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 592 fffff80002dbd040 72 bytes [40, 51, 79, 0A, 80, FA, FF, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800106ae94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800106ac38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800106b614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800106ba10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800106b86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa80069b62c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80069b62c0 Device \Driver\a5c7b06d \Device\Scsi\a5c7b06d1 fffffa8009bd22c0 Device \FileSystem\Ntfs \Ntfs fffffa8006a9c2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007e7a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1E370E21-36B5-42E4-BA74-154D064EA5DF} fffffa8007b142c0 Device \Driver\nvstor64 \Device\RaidPort0 fffffa8006a8e2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007cff2c0 Device \Driver\nvstor64 \Device\RaidPort1 fffffa8006a8e2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80074172c0 Device \Driver\nvstor64 \Device\00000062 fffffa8006a8e2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007e7a2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007b142c0 Device \Driver\nvstor64 \Device\00000063 fffffa8006a8e2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80069b62c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80069b62c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80074172c0 Device \Driver\nvstor64 \Device\ScsiPort2 fffffa8006a8e2c0 Device \Driver\nvstor64 \Device\ScsiPort3 fffffa8006a8e2c0 Device \Driver\a5c7b06d \Device\ScsiPort4 fffffa8009bd22c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8006a8e2c0]<< sptd.sys storport.sys hal.dll nvstor64.sys fffffa8006a8e2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007af9060] fffffa8007af9060 Trace 3 CLASSPNP.SYS[fffff88001b5043f] -> nt!IofCallDriver -> [0xfffffa80077f4c40] fffffa80077f4c40 Trace 5 ACPI.sys[fffff8800118e7a1] -> nt!IofCallDriver -> \Device\00000063[0xfffffa80074224e0] fffffa80074224e0 Trace \Driver\nvstor64[0xfffffa8006b0e370] -> IRP_MJ_CREATE -> 0xfffffa8006a8e2c0 fffffa8006a8e2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\a5c7b06d.SYS fffff88001b7f000-fffff88001bd0000 (331776 bytes) ---- Processes - GMER 2.1 ---- Process C:\Users\pc\AppData\Local\FilesFrog Update Checker\update_checker.exe (*** suspicious ***) @ C:\Users\pc\AppData\Local\FilesFrog Update Checker\update_checker.exe [3564] 0000000000400000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2385F3F7-EC24-4C5F-A412-CF6F812230BA}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3256] (Microsoft Malware Protection Engine/Microsoft Corporation SIGNED)(2014-01-24 07:07:42) 000007fee4ec0000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2385F3F7-EC24-4C5F-A412-CF6F812230BA}\offreg.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3256] (Offline registry DLL/Microsoft Corporation SIGNED)(2014-01-27 08:47:13) 000007fefa710000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB6 0xFB 0xEE 0x8D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x31 0x44 0xE6 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@d0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF7 0x1A 0xC2 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x42 0x07 0x94 0xC7 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3B 0x5C 0x81 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... ---- EOF - GMER 2.1 ----