GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-12 14:08:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST350041 rev.JC4B 465,76GB Running: xlm2tf31.exe; Driver: C:\Users\Marek\AppData\Local\Temp\ugloypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076981465 2 bytes [98, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769814bb 2 bytes [98, 76] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076981465 2 bytes [98, 76] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769814bb 2 bytes [98, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076981465 2 bytes [98, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769814bb 2 bytes [98, 76] .text ... * 2 .text C:\Users\Marek\AppData\Local\Akamai\netsession_win.exe[2860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076981465 2 bytes [98, 76] .text C:\Users\Marek\AppData\Local\Akamai\netsession_win.exe[2860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769814bb 2 bytes [98, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[3700] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000070eb1a22 2 bytes {JMP 0x72} .text C:\Windows\SysWOW64\PnkBstrA.exe[3700] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000070eb1ad0 2 bytes {JMP 0x72} .text C:\Windows\SysWOW64\PnkBstrA.exe[3700] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000070eb1b08 2 bytes {JMP 0x72} .text C:\Windows\SysWOW64\PnkBstrA.exe[3700] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000070eb1bba 2 bytes {JMP 0x72} .text C:\Windows\SysWOW64\PnkBstrA.exe[3700] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000070eb1bda 2 bytes {JMP 0x72} .text C:\Windows\SysWOW64\PnkBstrA.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076981465 2 bytes [98, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769814bb 2 bytes [98, 76] .text ... * 2 .text C:\Users\Marek\AppData\Local\Akamai\netsession_win.exe[4476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076981465 2 bytes [98, 76] .text C:\Users\Marek\AppData\Local\Akamai\netsession_win.exe[4476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769814bb 2 bytes [98, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88000ed6e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88000ed6c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88000ed7614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88000ed7a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88000ed786c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80073382c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800a6862c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007b962c0 Device \Driver\cdrom \Device\CdRom1 fffffa8007b962c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800a6862c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa800a2752c0 Device \Driver\dtsoftbus01 \Device\00000081 fffffa800a2752c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800a6862c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{0CA01E67-FC63-4E42-BEB4-DDB63A911A77} fffffa800a2902c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800a2902c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{011C4E1F-9626-4FC8-8C59-2BC2C57BAFCA} fffffa800a2902c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800a6862c0 ---- Threads - GMER 2.1 ---- Thread System [4:5280] fffff8800de61214 Thread System [4:2852] fffff8800de6c39c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3016:1648] 000007fefb1f2bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3016:5844] 000007fee3edd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3016:5980] 000007fef9b85124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026833328be Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026833328be@38ece47e8c67 0x95 0x45 0xC8 0x34 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026833328be@a816b221a066 0x8C 0x9A 0x5C 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026833328be@2cd2e724ff39 0x81 0x89 0x5F 0x4A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026833328be@e4ec10796f85 0xD9 0x7E 0x23 0x68 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x16 0x3E 0x08 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBF 0x84 0xB0 0x07 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC2 0x71 0x11 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x21 0x5E 0x32 0xCB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026833328be (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026833328be@38ece47e8c67 0x95 0x45 0xC8 0x34 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026833328be@a816b221a066 0x8C 0x9A 0x5C 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026833328be@2cd2e724ff39 0x81 0x89 0x5F 0x4A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026833328be@e4ec10796f85 0xD9 0x7E 0x23 0x68 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x16 0x3E 0x08 0xFE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBF 0x84 0xB0 0x07 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC2 0x71 0x11 0x2E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x21 0x5E 0x32 0xCB ... ---- Files - GMER 2.1 ---- File C:\Users\Marek\AppData\Local\Mozilla\Firefox\Profiles\u672s3gb.default-1425499287904\cache2\entries\DCA1F6A9F4F1DB19A9F362F1716386ABA265D4F4 0 bytes File C:\Users\Marek\AppData\Local\Mozilla\Firefox\Profiles\u672s3gb.default-1425499287904\cache2\entries\89F2E369D1A2768AF14DEBF1F650C83ADA257D8E 900 bytes File C:\Users\Marek\AppData\Local\Mozilla\Firefox\Profiles\u672s3gb.default-1425499287904\cache2\entries\A2C91963615DF7F3488EF41B6674A48A050D09A8 2130 bytes ---- EOF - GMER 2.1 ----