GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-18 08:37:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Intel___ rev.1.0. 931.52GB Running: 5noee4t0.exe; Driver: C:\Users\Kamil\AppData\Local\Temp\pfddqpod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88010943d8c 12 bytes {MOV RAX, 0xfffffa80072832a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1500] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075a88769 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1500] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1500] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 .text C:\Program Files\OO Software\Defrag\oodag.exe[1716] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077149b80 13 bytes {MOV R11, 0x1400a71c0; JMP R11} .text C:\Windows\SysWOW64\PnkBstrA.exe[1908] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072631a22 2 bytes [63, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1908] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072631ad0 2 bytes [63, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1908] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072631b08 2 bytes [63, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1908] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072631bba 2 bytes [63, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1908] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072631bda 2 bytes [63, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[1936] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072631a22 2 bytes [63, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[1936] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072631ad0 2 bytes [63, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[1936] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072631b08 2 bytes [63, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[1936] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072631bba 2 bytes [63, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[1936] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072631bda 2 bytes [63, 72] .text C:\Windows\SysWOW64\PnkBstrB.exe[1936] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\Windows\SysWOW64\PnkBstrB.exe[1936] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff88001074650] \SystemRoot\System32\Drivers\spep.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010745dc] \SystemRoot\System32\Drivers\spep.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800103f35c] \SystemRoot\System32\Drivers\spep.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800103f224] \SystemRoot\System32\Drivers\spep.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800103fa24] \SystemRoot\System32\Drivers\spep.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800103fba0] \SystemRoot\System32\Drivers\spep.sys [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef866741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef8665f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef8665674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef8665e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef8667f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef8666a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef8666ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef8667b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef8667ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef86678b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef8664fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef8665d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2044] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef8667584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8005c5b2c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa800731f2c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa80072ff2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa800731f2c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80072ff2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80061762c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa80072ff2c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa80072ff2c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa80072ff2c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80072ff2c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa800731f2c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa80072ff2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa800731f2c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80072ff2c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa8004ec72c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{078E7E47-28A6-405C-B019-72549CA89D9F} fffffa80071de2c0 Device \Driver\volmgr \Device\FtControl fffffa8004ec72c0 Device \Driver\volmgr \Device\VolMgrControl fffffa8004ec72c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa8004ec72c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa8004ec72c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa8004ec72c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80071de2c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa80072ff2c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa80072ff2c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa80072ff2c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80072ff2c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1272:2516] 000007fef8239688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9D 0x5B 0x70 0x86 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9D 0x5B 0x70 0x86 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CD5AC7E3-0CA1-3EC0-0811-4989870DF975} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CD5AC7E3-0CA1-3EC0-0811-4989870DF975}@mampochjoedkmanlgpepipinoi 0x6F 0x61 0x6E 0x6A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CD5AC7E3-0CA1-3EC0-0811-4989870DF975}@abnpnedhfoifhoilpcdnmkjfbpbdalpdeo 0x70 0x61 0x70 0x70 ... ---- EOF - GMER 2.1 ----