GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-30 17:36:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Hitachi_HDS721050CLA362 rev.JP2OA3EA 465,76GB Running: 5z0ojgxj.exe; Driver: C:\Users\NORDVE~1\AppData\Local\Temp\fxtcqpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033f4000 45 bytes [00, 00, 14, 02, 4E, 53, 49, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033f402f 16 bytes [00, 58, 70, 25, 07, 80, FA, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1100] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000757a8791 4 bytes [C2, 04, 00, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[2904] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074b91a22 2 bytes [B9, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2904] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074b91ad0 2 bytes [B9, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2904] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074b91b08 2 bytes [B9, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2904] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074b91bba 2 bytes [B9, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2904] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074b91bda 2 bytes [B9, 74] .text C:\Users\Nordvendor\Downloads\Skan antyvir 2014-09-30\OTL.exe[3056] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075af1465 2 bytes [AF, 75] .text C:\Users\Nordvendor\Downloads\Skan antyvir 2014-09-30\OTL.exe[3056] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000075af14bb 2 bytes [AF, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [984:3948] 000007fef47520c0 Thread C:\Windows\System32\svchost.exe [984:3968] 000007fef47214a0 Thread C:\Windows\System32\svchost.exe [984:3972] 000007fef47526a8 Thread C:\Windows\System32\svchost.exe [984:3996] 000007fef47529dc Thread C:\Windows\System32\svchost.exe [984:3328] 000007fef438a2b0 Thread C:\Windows\System32\svchost.exe [984:4472] 000007fef67344e0 Thread C:\Windows\System32\svchost.exe [984:4864] 000007fef1f13efc Thread C:\Windows\System32\svchost.exe [984:4952] 000007fef1fb8a4c Thread C:\Windows\System32\svchost.exe [984:4968] 000007fef6a488f8 Thread C:\Windows\system32\svchost.exe [1076:1116] 000007fefaf7341c Thread C:\Windows\system32\svchost.exe [1076:1124] 000007fefaf73a2c Thread C:\Windows\system32\svchost.exe [1076:1128] 000007fefaf73768 Thread C:\Windows\system32\svchost.exe [1076:1132] 000007fefaf75c20 Thread C:\Windows\system32\svchost.exe [1076:2856] 000007fef6acbd88 Thread C:\Windows\system32\svchost.exe [1076:2380] 000007fef6b15124 Thread C:\Windows\system32\svchost.exe [1076:4444] 000007fef9ec5170 Thread C:\Windows\system32\svchost.exe [1076:3384] 000007fefaf73900 Thread C:\Windows\System32\spoolsv.exe [1320:1716] 000007fef9c510c8 Thread C:\Windows\System32\spoolsv.exe [1320:1724] 000007fef9c16144 Thread C:\Windows\System32\spoolsv.exe [1320:1728] 000007fef9a05fd0 Thread C:\Windows\System32\spoolsv.exe [1320:1732] 000007fef99f3438 Thread C:\Windows\System32\spoolsv.exe [1320:1736] 000007fef9a063ec Thread C:\Windows\System32\spoolsv.exe [1320:1744] 000007fefa325e5c Thread C:\Windows\System32\spoolsv.exe [1320:1748] 000007fef9db5074 Thread C:\Windows\system32\svchost.exe [1348:2004] 000007fef6de35c0 Thread C:\Windows\system32\svchost.exe [1348:1988] 000007fef6de5600 Thread C:\Windows\system32\svchost.exe [1348:4056] 000007fef4612888 Thread C:\Windows\system32\svchost.exe [1348:4068] 000007fef4602940 Thread C:\Windows\system32\svchost.exe [1348:2740] 000007fef4612a40 Thread C:\Windows\SysWOW64\ntdll.dll [1060:1052] 0000000000580f2a Thread C:\Windows\SysWOW64\ntdll.dll [1244:1240] 0000000000580f2a Thread C:\Windows\SysWOW64\ntdll.dll [1244:1480] 0000000000589c1a Thread C:\Windows\SysWOW64\ntdll.dll [1244:1704] 0000000000433c6c Thread C:\Windows\SysWOW64\ntdll.dll [1244:1476] 0000000000433c6c Thread C:\Windows\SysWOW64\ntdll.dll [1244:1460] 0000000000433c6c Thread C:\Windows\SysWOW64\ntdll.dll [1244:1464] 0000000000433c6c Thread C:\Windows\SysWOW64\ntdll.dll [1244:1468] 0000000000433c6c Thread C:\Windows\SysWOW64\ntdll.dll [1244:1756] 0000000000569890 Thread C:\Windows\system32\svchost.exe [2100:2424] 000007fef6968470 Thread C:\Windows\system32\svchost.exe [2100:2360] 000007fef6972418 Thread C:\Windows\system32\svchost.exe [2100:2312] 000007fef66af130 Thread C:\Windows\system32\svchost.exe [2100:3008] 000007fef66a4734 Thread C:\Windows\system32\svchost.exe [2100:4260] 000007fef66a4734 Thread C:\Windows\SysWOW64\ntdll.dll [2124:2128] 0000000000ef569e Thread C:\Windows\SysWOW64\ntdll.dll [2980:2984] 000000000007d26e Thread C:\Windows\system32\svchost.exe [3044:2156] 000007fef6907130 Thread C:\Windows\system32\svchost.exe [3044:2160] 000007fef68fd5c0 Thread C:\Windows\SysWOW64\ntdll.dll [2164:1588] 000000000122e686 Thread C:\Windows\SysWOW64\ntdll.dll [2164:3648] 0000000001223eb0 Thread C:\Windows\SysWOW64\ntdll.dll [2164:3652] 000000000122c056 Thread C:\Windows\SysWOW64\ntdll.dll [2164:4384] 0000000001223eb0 Thread C:\Windows\SysWOW64\ntdll.dll [2164:3284] 000000000124e2a1 Thread C:\Windows\SysWOW64\ntdll.dll [2164:4392] 00000000010ba71d Thread C:\Windows\SysWOW64\ntdll.dll [2164:3372] 0000000001223eb0 Thread C:\Windows\SysWOW64\ntdll.dll [2164:4300] 00000000011c8a92 Thread C:\Windows\SysWOW64\ntdll.dll [2164:2604] 00000000011c8a92 Thread C:\Windows\SysWOW64\ntdll.dll [2164:2608] 00000000011c8a92 Thread C:\Windows\SysWOW64\ntdll.dll [2164:2752] 00000000011c8a92 Thread C:\Windows\SysWOW64\ntdll.dll [2164:4796] 0000000001223eb0 Thread C:\Windows\SysWOW64\ntdll.dll [2164:4848] 0000000001223eb0 Thread C:\Windows\SysWOW64\ntdll.dll [2164:4928] 000000000122c056 Thread C:\Windows\SysWOW64\ntdll.dll [2848:2816] 00000000004d5584 Thread C:\Windows\SysWOW64\ntdll.dll [2848:3304] 0000000000404e50 Thread C:\Windows\SysWOW64\ntdll.dll [2848:3320] 0000000000404e50 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4344:5108] 000007fefbbd2bf8 Thread C:\Windows\SysWOW64\ntdll.dll [2584:2568] 000000000147a744 Thread C:\Windows\SysWOW64\ntdll.dll [2584:2656] 0000000001474fb0 Thread C:\Windows\SysWOW64\ntdll.dll [2584:2660] 0000000001474fb0 Thread C:\Windows\SysWOW64\ntdll.dll [2584:2664] 0000000001479ff9 Thread C:\Windows\SysWOW64\ntdll.dll [2584:2872] 0000000001474fb0 Thread C:\Windows\SysWOW64\ntdll.dll [2584:4812] 0000000001474fb0 Thread C:\Windows\SysWOW64\ntdll.dll [2584:4800] 00000000013d9725 Thread C:\Windows\SysWOW64\ntdll.dll [2584:3452] 00000000013d9725 Thread C:\Windows\SysWOW64\ntdll.dll [2584:4860] 00000000013d9725 Thread C:\Windows\SysWOW64\ntdll.dll [2584:3472] 0000000001474fb0 Thread C:\Windows\SysWOW64\ntdll.dll [2584:4944] 0000000001474fb0 Thread C:\Windows\SysWOW64\ntdll.dll [2584:1204] 0000000001474fb0 Thread C:\Windows\SysWOW64\ntdll.dll [2584:4988] 0000000001474fb0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0B 0xF7 0xDE 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0B 0xF7 0xDE 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----