GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-08 00:35:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB3O 298,09GB Running: 8g5m1jds.exe; Driver: C:\Users\maciek\AppData\Local\Temp\uwdyykog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003803000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff8000380302f 16 bytes [00, 03, 38, 00, 00, 00, 00, ...] PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff8800151a4a0 12 bytes {MOV RAX, 0xfffffa80035c62a0; JMP RAX} .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88006588d8c 12 bytes {MOV RAX, 0xfffffa8006aad2a0; JMP RAX} .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000f3f00 7 bytes [00, 98, F3, FF, 01, A6, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000f3f08 3 bytes [C0, 06, 02] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800107bed8] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800107bc7c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107c658] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800107ca54] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800107c8b0] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [10002350] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [10003450] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[1444] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [100011e0] C:\Program Files (x86)\EgisTec\MyWinLocker 3\x64\psdprotect.dll ---- Devices - GMER 2.1 ---- Device \Driver\azv97yaa \Device\Scsi\azv97yaa1Port1Path0Target2Lun0 fffffa8006eb82c0 Device \Driver\azv97yaa \Device\Scsi\azv97yaa1Port1Path0Target1Lun0 fffffa8006eb82c0 Device \Driver\azv97yaa \Device\Scsi\azv97yaa1 fffffa8006eb82c0 Device \Driver\azv97yaa \Device\Scsi\azv97yaa1Port1Path0Target0Lun0 fffffa8006eb82c0 Device \FileSystem\Ntfs \Ntfs fffffa8003f1f2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006ab72c0 Device \Driver\cdrom \Device\CdRom0 fffffa80068f22c0 Device \Driver\cdrom \Device\CdRom1 fffffa80068f22c0 Device \Driver\cdrom \Device\CdRom2 fffffa80068f22c0 Device \Driver\cdrom \Device\CdRom3 fffffa80068f22c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6FB8178D-6160-4254-A97D-19B9211D3374} fffffa800694f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{51AFCC4E-6474-4320-9B17-CB56B686B3AB} fffffa800694f2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006ab72c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006ab72c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800694f2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006ab72c0 Device \Driver\azv97yaa \Device\ScsiPort1 fffffa8006eb82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{0078612D-AE10-4A34-BA57-C9005D39ABBB} fffffa800694f2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\azv97yaa.SYS fffff8800493c000-fffff88004989000 (315392 bytes) ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\WiseEnhance\updateWiseEnhance.exe (*** suspicious ***) @ C:\Program Files (x86)\WiseEnhance\updateWiseEnhance.exe [2448] 0000000000280000 Library C:\Program Files (x86)\WiseEnhance\bin\utilWiseEnhance.exe (*** suspicious ***) @ C:\Program Files (x86)\WiseEnhance\bin\utilWiseEnhance.exe [7900] 0000000000ab0000 Library C:\Program Files (x86)\WiseEnhance\bin\WiseEnhance.PurBrowse64.exe (*** suspicious ***) @ C:\Program Files (x86)\WiseEnhance\bin\WiseEnhance.PurBrowse64.exe [5912](2014-05-05 08:16:11) 000000013f970000 Library C:\Program Files (x86)\WiseEnhance\bin\WiseEnhance.BrowserAdapter.exe (*** suspicious ***) @ C:\Program Files (x86)\WiseEnhance\bin\WiseEnhance.BrowserAdapter.exe [1880] 0000000001100000 Library C:\Program Files (x86)\WiseEnhance\bin\{2c976a7f-dbdc-4756-870f-f6d183fe7a7e}.dll (*** suspicious ***) @ C:\Program Files (x86)\WiseEnhance\bin\WiseEnhance.BrowserAdapter.exe [1880] 000000005b490000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0050f2e182ee Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0050f2e182ee@0023b47f08bb 0x12 0x2A 0xDD 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x24 0xEE 0x02 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0E 0xDF 0x62 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2B 0xB6 0xE1 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x15 0xB6 0x03 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xB5 0x65 0x47 0xA0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0050f2e182ee (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0050f2e182ee@0023b47f08bb 0x12 0x2A 0xDD 0xAE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x24 0xEE 0x02 0xC6 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0E 0xDF 0x62 0x87 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2B 0xB6 0xE1 0x8B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x15 0xB6 0x03 0x4F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xB5 0x65 0x47 0xA0 ... ---- Files - GMER 2.1 ---- File C:\FRST 0 bytes File C:\FRST\Hives 0 bytes File C:\FRST\Hives\BCD 32768 bytes File C:\FRST\Hives\default 454656 bytes File C:\FRST\Hives\ERDNT.CON 800 bytes File C:\FRST\Hives\ERDNT.EXE 163328 bytes executable File C:\FRST\Hives\ERDNT.INF 839 bytes File C:\FRST\Hives\ERDNTDOS.LOC 2815 bytes File C:\FRST\Hives\ERDNTWIN.LOC 3275 bytes File C:\FRST\Hives\sam 61440 bytes File C:\FRST\Hives\security 24576 bytes File C:\FRST\Hives\software 90894336 bytes File C:\FRST\Hives\system 26787840 bytes File C:\FRST\Hives\Users 0 bytes File C:\FRST\Hives\Users\00000001 0 bytes File C:\FRST\Hives\Users\00000001\ntuser.dat 5177344 bytes File C:\FRST\Hives\Users\00000002 0 bytes File C:\FRST\Hives\Users\00000002\UsrClass.dat 7512064 bytes File C:\FRST\Logs 0 bytes File C:\FRST\Logs\Addition.txt 56710 bytes File C:\FRST\Logs\FRST_08-05-2014_00-19-37.txt 67499 bytes File C:\FRST\Quarantine 0 bytes ---- EOF - GMER 2.1 ----