GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-16 23:11:42 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000076 ADATA___ rev.2.9_ 119,24GB Running: nojvyh50.exe; Driver: C:\Users\T540p\AppData\Local\Temp\pwrdykod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031f9000 8 bytes [00, 00, 0C, 02, 46, 4D, 73, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 666 fffff800031f908a 7 bytes [00, 00, 00, 00, 00, 00, 03] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe[1592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2436] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000071561b41 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2436] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000071561be8 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2436] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000071561c20 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2436] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000071561cd2 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe[2436] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000071561cf2 2 bytes [56, 71] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2600] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2600] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe[2944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\QuickControl\QuickControl.exe[4584] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\Lenovo\QuickControl\QuickControl.exe[4584] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000710411a8 2 bytes [04, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000710413a8 2 bytes [04, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000071041422 2 bytes [04, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000071041498 2 bytes [04, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000071561b41 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000071561be8 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000071561c20 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000071561cd2 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[4372] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000071561cf2 2 bytes [56, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[4380] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000710411a8 2 bytes [04, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[4380] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000710413a8 2 bytes [04, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[4380] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000071041422 2 bytes [04, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[4380] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000071041498 2 bytes [04, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[4380] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000071561b41 2 bytes [56, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[4380] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000071561be8 2 bytes [56, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[4380] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000071561c20 2 bytes [56, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[4380] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000071561cd2 2 bytes [56, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[4380] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000071561cf2 2 bytes [56, 71] .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[5672] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5768] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe[6800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[4992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE[4992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files (x86)\Lenovo\QuickControl\QuickControl.exe[7424] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\Lenovo\QuickControl\QuickControl.exe[7424] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000710411a8 2 bytes [04, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000710413a8 2 bytes [04, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000071041422 2 bytes [04, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000071041498 2 bytes [04, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000071561b41 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000071561be8 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000071561c20 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000071561cd2 2 bytes [56, 71] .text C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe[7860] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000071561cf2 2 bytes [56, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[7568] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000710411a8 2 bytes [04, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[7568] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000710413a8 2 bytes [04, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[7568] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000071041422 2 bytes [04, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[7568] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000071041498 2 bytes [04, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[7568] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000071561b41 2 bytes [56, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[7568] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000071561be8 2 bytes [56, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[7568] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000071561c20 2 bytes [56, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[7568] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000071561cd2 2 bytes [56, 71] .text C:\Program Files (x86)\Integrated Camera\Monitor.exe[7568] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000071561cf2 2 bytes [56, 71] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[7688] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[7688] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[8968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000755b1465 2 bytes [5B, 75] .text C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.exe[8968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755b14bb 2 bytes [5B, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800106ee94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800106ec38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800106f614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800106fa10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800106f86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80071f22c0 Device \FileSystem\fastfat \Fat fffffa8014b6b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{0C0544FE-EB0D-4B8D-8F31-365FC8E7CECA} fffffa800785d2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{607E2E43-6A31-408A-A748-2DFB29EFDA60} fffffa800785d2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8009c572c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa80071ee2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800784f2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8009c572c0 Device \Driver\iaStorA \Device\00000076 fffffa80071ee2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8009c572c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{05892438-81F8-4391-9F51-9DB9E1086E55} fffffa800785d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800785d2c0 Device \Driver\iaStorA \Device\00000077 fffffa80071ee2c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa80071ee2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{049DC0E1-7B55-4AA3-9C50-612095C0D831} fffffa800785d2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8009c572c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys >>UNKNOWN [0xfffffa80071ee2c0]<< sptd.sys storport.sys hal.dll iaStorA.sys fffffa80071ee2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800775b790] fffffa800775b790 Trace 3 CLASSPNP.SYS[fffff88001d7043f] -> nt!IofCallDriver -> [0xfffffa800765ca90] fffffa800765ca90 Trace 5 iaStorF.sys[fffff88001d0cf84] -> nt!IofCallDriver -> \Device\00000076[0xfffffa8006c449c0] fffffa8006c449c0 Trace \Driver\iaStorA[0xfffffa80073776a0] -> IRP_MJ_CREATE -> 0xfffffa80071ee2c0 fffffa80071ee2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\28b2bdd6b43c Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{261E5DF7-B151-4B57-BA0B-A4049AB62590}@InterfaceName isatap.{0C0544FE-EB0D-4B8D-8F31-365FC8E7CECA} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{261E5DF7-B151-4B57-BA0B-A4049AB62590}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{4CC5D37B-CB9D-4BE6-B422-6CF1397178C8}@InterfaceName isatap.{05892438-81F8-4391-9F51-9DB9E1086E55} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{4CC5D37B-CB9D-4BE6-B422-6CF1397178C8}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\00-23-cd-1f-c4-fa@TeredoAddress 2001:0:9d38:6ab8:2484:5103:e049:bdbe Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 38420 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE3 0xD6 0x2E 0xD7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\28b2bdd6b43c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE3 0xD6 0x2E 0xD7 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----