GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-12 23:35:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.JE3Z 465,76GB Running: thr0ohz8.exe; Driver: C:\Users\Pit\AppData\Local\Temp\uxtdapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076e98791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075cd1401 2 bytes JMP 76ebb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075cd1419 2 bytes JMP 76ebb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075cd1431 2 bytes JMP 76f38ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000075cd144a 2 bytes CALL 76e948ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000075cd14dd 2 bytes JMP 76f387a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075cd14f5 2 bytes JMP 76f38978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000075cd150d 2 bytes JMP 76f38698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075cd1525 2 bytes JMP 76f38a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000075cd153d 2 bytes JMP 76eafca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075cd1555 2 bytes JMP 76eb68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000075cd156d 2 bytes JMP 76f38f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075cd1585 2 bytes JMP 76f38ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000075cd159d 2 bytes JMP 76f3865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000075cd15b5 2 bytes JMP 76eafd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000075cd15cd 2 bytes JMP 76ebb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000075cd16b2 2 bytes JMP 76f38e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1540] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000075cd16bd 2 bytes JMP 76f385f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ea1409 7 bytes JMP 00000001729d1fa0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076ebb21b 5 bytes JMP 00000001729d1eb0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076f38e24 7 bytes JMP 00000001729d1ea0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076f38ea9 5 bytes JMP 00000001729d1f90 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076f391ff 5 bytes JMP 00000001729d1f20 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076e41d29 5 bytes JMP 00000001729d2730 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076e41dd7 5 bytes JMP 00000001729d2790 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076e42ab1 5 bytes JMP 00000001729d2800 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3252] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076e42d17 5 bytes JMP 00000001729d2980 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3912] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000779ef2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3912] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077a19a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3912] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 0000000077a294c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3912] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077a29630 5 bytes JMP 000000016fff0110 .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3912] C:\Windows\system32\kernel32.dll!RegSetValueExA 0000000077a487e0 7 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[3112] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ea1409 7 bytes JMP 00000001729d1fa0 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[3112] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076ebb21b 5 bytes JMP 00000001729d1eb0 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[3112] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076f38e24 7 bytes JMP 00000001729d1ea0 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[3112] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076f38ea9 5 bytes JMP 00000001729d1f90 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[3112] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076f391ff 5 bytes JMP 00000001729d1f20 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[3112] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076e41d29 5 bytes JMP 00000001729d2730 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[3112] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076e41dd7 5 bytes JMP 00000001729d2790 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[3112] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076e42ab1 5 bytes JMP 00000001729d2800 .text C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe[3112] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076e42d17 5 bytes JMP 00000001729d2980 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076ea1409 7 bytes JMP 00000001729d1fa0 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 0000000076ebb21b 5 bytes JMP 00000001729d1eb0 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076f38e24 7 bytes JMP 00000001729d1ea0 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076f38ea9 5 bytes JMP 00000001729d1f90 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076f391ff 5 bytes JMP 00000001729d1f20 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076e41d29 5 bytes JMP 00000001729d2730 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076e41dd7 5 bytes JMP 00000001729d2790 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076e42ab1 5 bytes JMP 00000001729d2800 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076e42d17 5 bytes JMP 00000001729d2980 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007725e96b 5 bytes JMP 00000001729d1a20 .text D:\Pobrane\thr0ohz8.exe[3692] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007725eba5 5 bytes JMP 00000001729d1ab0 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800106fe94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800106fc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001070614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001070a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800107086c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80042dd2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800746a2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80047a72c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B7EF0052-C093-4208-87EB-7C4405390ABE} fffffa80049a02c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800746a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{DF328CF3-05DC-4A9F-BBDF-2260F98352B2} fffffa80049a02c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800746a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{03CFECCD-5D16-41A1-AB45-1E11A1779E38} fffffa80049a02c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80049a02c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1A3AA53D-67E6-43E1-BCCF-130339FCB6A8} fffffa80049a02c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800746a2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9cb70dcf9e42 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x88 0x40 0xB8 0xB4 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9cb70dcf9e42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x88 0x40 0xB8 0xB4 ... ---- EOF - GMER 2.1 ----