GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-09 14:13:56 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Maxtor_6E030L0 rev.NAR61590 28,64GB Running: jhnmqgsg.exe; Driver: C:\Users\Dawid\AppData\Local\Temp\pxtyypod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074de1465 2 bytes [DE, 74] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074de14bb 2 bytes [DE, 74] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001020e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001020c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001021614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001021a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800102186c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80024902c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80024902c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80024902c0 Device \Driver\a67hvsux \Device\Scsi\a67hvsux1 fffffa80037382c0 Device \Driver\a67hvsux \Device\Scsi\a67hvsux1Port2Path0Target0Lun0 fffffa80037382c0 Device \FileSystem\Ntfs \Ntfs fffffa80024942c0 Device \FileSystem\fastfat \Fat fffffa80041f02c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa80037752c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa80036fd2c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa80036fd2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8003e1b2c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa80036fd2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80036fd2c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa80036fd2c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa80037752c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa80036fd2c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa80036fd2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1A48A4E9-86DF-4E0D-B9DE-16950207A99D} fffffa80034e12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{BC004F94-C790-4292-89E0-42849B0CEB68} fffffa80034e12c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80034e12c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80036fd2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80024902c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa80036fd2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80036fd2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80024902c0 Device \Driver\a67hvsux \Device\ScsiPort2 fffffa80037382c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80024902c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80024902c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80033db060] fffffa80033db060 Trace 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8002f07520] fffffa8002f07520 Trace 5 ACPI.sys[fffff880011477a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8002f0d060] fffffa8002f0d060 Trace \Driver\atapi[0xfffffa8002ef53f0] -> IRP_MJ_CREATE -> 0xfffffa80024902c0 fffffa80024902c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\a67hvsux.SYS fffff8800178b000-fffff880017dc000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [880:1204] 000007fefa521a50 Thread C:\Windows\system32\svchost.exe [880:1884] 000007fefadb818c Thread C:\Windows\system32\svchost.exe [880:2280] 000007fef729506c Thread C:\Windows\system32\svchost.exe [880:2312] 000007fef84e1c20 Thread C:\Windows\system32\svchost.exe [880:2336] 000007fef84e1c20 Thread C:\Windows\system32\svchost.exe [880:4660] 000007fef9905124 Thread C:\Windows\system32\svchost.exe [880:4364] 000007fef7d51ab0 Thread C:\Windows\system32\svchost.exe [880:3080] 000007fefa3f4164 Thread C:\Windows\system32\svchost.exe [1080:1140] 000007fefa91341c Thread C:\Windows\system32\svchost.exe [1080:1144] 000007fefa913a2c Thread C:\Windows\system32\svchost.exe [1080:1148] 000007fefa913768 Thread C:\Windows\system32\svchost.exe [1080:1152] 000007fefa915c20 Thread C:\Windows\system32\svchost.exe [1080:1808] 000007fef9a8bd88 Thread C:\Windows\system32\svchost.exe [1080:2460] 000007fef7495170 Thread C:\Windows\system32\svchost.exe [1080:3760] 000007fefa913900 Thread C:\Windows\system32\svchost.exe [1080:3232] 000007fef9905124 Thread C:\Windows\system32\svchost.exe [1260:1708] 000007fef9ff35c0 Thread C:\Windows\system32\svchost.exe [1260:2132] 000007fef9ff5600 Thread C:\Windows\system32\svchost.exe [1260:2232] 000007fef7902940 Thread C:\Windows\system32\svchost.exe [1260:3004] 000007fef73d2888 Thread C:\Windows\system32\svchost.exe [1648:328] 000007fef5935f1c Thread C:\Windows\system32\svchost.exe [1648:3252] 000007fef3b88470 Thread C:\Windows\system32\svchost.exe [1648:3224] 000007fef3b92418 Thread C:\Windows\system32\svchost.exe [1648:1184] 000007fef9905124 Thread C:\Windows\system32\svchost.exe [1648:5012] 000007fef3b9976c Thread C:\Windows\system32\svchost.exe [1648:2104] 000007fef9909874 Thread C:\Windows\system32\svchost.exe [1800:1820] 000007fefeaea808 Thread C:\Windows\system32\svchost.exe [1800:1852] 000007fef98a7130 Thread C:\Windows\system32\svchost.exe [1800:1856] 000007fef989d5c0 Thread C:\Windows\System32\svchost.exe [2400:2524] 000007fef7449688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3176:3272] 000007fef6eb2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3176:3584] 000007fef9905124 Thread C:\Windows\system32\taskhost.exe [4580:3640] 000007fef7e0ef24 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000a3a5adfe3 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000a3a5adfe3@0808c2b6bcd2 0xCB 0x83 0x32 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE0 0xA1 0xA4 0x52 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x8A 0x9F 0x2F 0xAD ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2E 0xA0 0xFD 0xA3 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000a3a5adfe3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000a3a5adfe3@0808c2b6bcd2 0xCB 0x83 0x32 0x51 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE0 0xA1 0xA4 0x52 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x8A 0x9F 0x2F 0xAD ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2E 0xA0 0xFD 0xA3 ... ---- Files - GMER 2.1 ---- File C:\Users\Dawid\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\374A.tmp 0 bytes File C:\Users\Dawid\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\374B.tmp 0 bytes File C:\Users\Dawid\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\374C.tmp 0 bytes File C:\Users\Dawid\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\374D.tmp 28134 bytes File C:\Users\Dawid\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\378E.tmp 28134 bytes File C:\Users\Dawid\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\37BF.tmp 28134 bytes File C:\System Volume Information\Chkdsk 0 bytes File C:\System Volume Information\Chkdsk\Chkdsk20150212074636.log 35840 bytes File C:\System Volume Information\MountPointManagerRemoteDatabase 0 bytes File C:\System Volume Information\SPP 0 bytes File C:\System Volume Information\SPP\OnlineMetadataCache 0 bytes File C:\System Volume Information\SPP\OnlineMetadataCache\{e68780ed-2eb3-429e-b2de-d6b17236c80f}_OnDiskSnapshotProp 4088 bytes File C:\System Volume Information\SPP\SppCbsHiveStore 0 bytes File C:\System Volume Information\SPP\SppGroupCache 0 bytes File C:\System Volume Information\SPP\SppGroupCache\{E68780ED-2EB3-429E-B2DE-D6B17236C80F}_DriverPackageInfo 58152 bytes File C:\System Volume Information\Syscache.hve 14155776 bytes File C:\System Volume Information\Syscache.hve.LOG1 262144 bytes File C:\System Volume Information\Syscache.hve.LOG2 0 bytes File C:\System Volume Information\tracking.log 20480 bytes File C:\System Volume Information\Windows Backup 0 bytes File C:\System Volume Information\Windows Backup\Catalogs 0 bytes File C:\System Volume Information\Windows Backup\Catalogs\GlobalCatalog.wbcat 136 bytes File C:\System Volume Information\Windows Backup\Catalogs\GlobalCatalogLock.dat 0 bytes File C:\System Volume Information\WindowsImageBackup 0 bytes File C:\System Volume Information\WindowsImageBackup\SPPMetadataCache 0 bytes File C:\Windows\CSC\v2.0.6\namespace 0 bytes File C:\Windows\CSC\v2.0.6\pq 64 bytes File C:\Windows\CSC\v2.0.6\sm 4 bytes File C:\Windows\CSC\v2.0.6\temp 0 bytes File C:\Windows\CSC\v2.0.6\temp\ea-{a6dedf66-c921-11dc-992d-f86f5aaead1f} 0 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl 72 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl 4304 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl 0 bytes File C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl 72 bytes ---- EOF - GMER 2.1 ----