GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2015-01-17 22:23:30 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-7 WDC_WD5000AADS-00S9B0 rev.01.00A01 465,76GB Running: m57g1hli.exe; Driver: C:\Users\SDRG\AppData\Local\Temp\kxldypod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff80003404000 45 bytes [00, 00, 16, 02, 4E, 74, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 495 fffff8000340402f 29 bytes [00, 01, 00, 06, 00, 00, 00, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000134300 7 bytes [00, A1, F3, FF, 41, B4, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000134308 3 bytes [00, 07, 02] ---- User code sections - GMER 2.1 ---- .text C:\Users\SDRG\AppData\Local\Viber\Viber.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751b1465 2 bytes [1B, 75] .text C:\Users\SDRG\AppData\Local\Viber\Viber.exe[2208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751b14bb 2 bytes [1B, 75] .text ... * 2 .text C:\Users\SDRG\AppData\Local\Viber\Viber.exe[2220] C:\Windows\SysWOW64\ntdll.dll!LdrAccessResource 00000000777f1fc0 5 bytes JMP 0000000100518940 .text C:\Users\SDRG\AppData\Local\Viber\Viber.exe[2220] C:\Windows\SysWOW64\ntdll.dll!LdrFindResource_U 00000000777f1fdd 5 bytes JMP 00000001005188b0 .text C:\Users\SDRG\AppData\Local\Viber\Viber.exe[2220] C:\Windows\syswow64\KERNELBASE.dll!LoadStringA 00000000755a4b4e 5 bytes JMP 00000001005187c0 .text C:\Users\SDRG\AppData\Local\Viber\Viber.exe[2220] C:\Windows\syswow64\KERNELBASE.dll!LoadStringW 00000000755a4bbb 5 bytes JMP 0000000100518850 .text C:\Users\SDRG\AppData\Roaming\Spotify\spotify.exe[3852] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000777c000c 1 byte [C3] .text C:\Users\SDRG\AppData\Roaming\Spotify\spotify.exe[3852] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007784f8ea 5 bytes JMP 00000001777fd5c1 .text C:\Users\SDRG\AppData\Roaming\Spotify\spotify.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751b1465 2 bytes [1B, 75] .text C:\Users\SDRG\AppData\Roaming\Spotify\spotify.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751b14bb 2 bytes [1B, 75] .text ... * 2 .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[3792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751b1465 2 bytes [1B, 75] .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[3792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751b14bb 2 bytes [1B, 75] .text ... * 2 .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751b1465 2 bytes [1B, 75] .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[1296] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751b14bb 2 bytes [1B, 75] .text ... * 2 .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751b1465 2 bytes [1B, 75] .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[2184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751b14bb 2 bytes [1B, 75] .text ... * 2 .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[2656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751b1465 2 bytes [1B, 75] .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[2656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751b14bb 2 bytes [1B, 75] .text ... * 2 .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[2668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751b1465 2 bytes [1B, 75] .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[2668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751b14bb 2 bytes [1B, 75] .text ... * 2 .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751b1465 2 bytes [1B, 75] .text C:\Users\SDRG\AppData\Roaming\Spotify\Data\SpotifyHelper.exe[3076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751b14bb 2 bytes [1B, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010d8e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010d8c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010d9614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010d9a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010d986c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa80039ac2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-7 fffffa80039ac2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80039ac2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80039ac2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80039ac2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80039ac2c0 Device \Driver\a2tozeog \Device\Scsi\a2tozeog1Port4Path0Target0Lun0 fffffa8004e3a2c0 Device \Driver\a2tozeog \Device\Scsi\a2tozeog1 fffffa8004e3a2c0 Device \FileSystem\Ntfs \Ntfs fffffa8003a642c0 Device \Driver\USBSTOR \Device\0000007a fffffa80055f82c0 Device \Driver\USBSTOR \Device\00000078 fffffa80055f82c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa8004c602c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa8004c6f2c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa8004c6f2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80049b12c0 Device \Driver\cdrom \Device\CdRom1 fffffa80049b12c0 Device \Driver\USBSTOR \Device\0000007b fffffa80055f82c0 Device \Driver\USBSTOR \Device\00000079 fffffa80055f82c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa8004c6f2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004c6f2c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa8004c6f2c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8004e3f2c0 Device \Driver\atapi \Device\Dev_fffffa80048d7060 fffffa80052a8878 Device \Driver\USBSTOR -> DriverStartIo \Device\Dev_fffffa80056d7a30 fffffa80051d49c4 Device \Driver\USBSTOR \Device\Dev_fffffa80056d7a30 fffffa80051e6578 Device \Driver\NetBT \Device\NetBT_Tcpip_{9D2CF53F-ACF2-4DDE-BA44-8B66E43FC1B3} fffffa8004b452c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa8004c602c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa8004c6f2c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa8004c6f2c0 Device \Driver\USBSTOR -> DriverStartIo \Device\Dev_fffffa80056d9060 fffffa80051d49c4 Device \Driver\USBSTOR \Device\Dev_fffffa80056d9060 fffffa80051e6578 Device \Driver\USBSTOR -> DriverStartIo \Device\Dev_fffffa80056ce970 fffffa80051d49c4 Device \Driver\USBSTOR \Device\Dev_fffffa80056ce970 fffffa80051e6578 Device \Driver\USBSTOR -> DriverStartIo \Device\Dev_fffffa80056d8b60 fffffa80051d49c4 Device \Driver\USBSTOR \Device\Dev_fffffa80056d8b60 fffffa80051e6578 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004b452c0 Device \Driver\USBSTOR \Device\00000077 fffffa80055f82c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa8004c6f2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80039ac2c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa8004c6f2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004c6f2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80039ac2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80039ac2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80039ac2c0 Device \Driver\a2tozeog \Device\ScsiPort4 fffffa8004e3a2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\a2tozeog.SYS fffff88004098000-fffff880040e9000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1800:1660] 000007fef8d44094 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1800:1736] 000007fef8d44094 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1800:1936] 000007fef6d0bc60 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\HDD Health\hddhealth.exe (*** suspicious ***) @ C:\Program Files (x86)\HDD Health\hddhealth.exe [2220] 0000000000400000 ---- EOF - GMER 2.1 ----