GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-10 10:54:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000071 ATA_____ rev.CC47 931,51GB Running: hjjo8e7c.exe; Driver: C:\Users\PireLLi\AppData\Local\Temp\ugldypoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff8800954dd8c 12 bytes {MOV RAX, 0xfffffa800a76c2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074e08791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000074b21401 2 bytes JMP 74e2b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000074b21419 2 bytes JMP 74e2b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000074b21431 2 bytes JMP 74ea8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000074b2144a 2 bytes CALL 74e048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000074b214dd 2 bytes JMP 74ea87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000074b214f5 2 bytes JMP 74ea8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000074b2150d 2 bytes JMP 74ea8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000074b21525 2 bytes JMP 74ea8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000074b2153d 2 bytes JMP 74e1fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000074b21555 2 bytes JMP 74e268ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000074b2156d 2 bytes JMP 74ea8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000074b21585 2 bytes JMP 74ea8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000074b2159d 2 bytes JMP 74ea865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000074b215b5 2 bytes JMP 74e1fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000074b215cd 2 bytes JMP 74e2b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000074b216b2 2 bytes JMP 74ea8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000074b216bd 2 bytes JMP 74ea85f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000071d617fa 2 bytes CALL 74e011a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000071d61860 2 bytes CALL 74e011a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000071d61942 2 bytes JMP 75477089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000071d6194d 2 bytes JMP 7547cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b21401 2 bytes JMP 74e2b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b21419 2 bytes JMP 74e2b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b21431 2 bytes JMP 74ea8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b2144a 2 bytes CALL 74e048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b214dd 2 bytes JMP 74ea87a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b214f5 2 bytes JMP 74ea8978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b2150d 2 bytes JMP 74ea8698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b21525 2 bytes JMP 74ea8a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b2153d 2 bytes JMP 74e1fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b21555 2 bytes JMP 74e268ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b2156d 2 bytes JMP 74ea8f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b21585 2 bytes JMP 74ea8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b2159d 2 bytes JMP 74ea865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b215b5 2 bytes JMP 74e1fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b215cd 2 bytes JMP 74e2b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b216b2 2 bytes JMP 74ea8e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b216bd 2 bytes JMP 74ea85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076672ab1 5 bytes JMP 0000000101022ac0 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800109df1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800109dcc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800109e69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800109ea98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800109e8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\azz8adyg \Device\Scsi\azz8adyg1 fffffa800a8c72c0 Device \Driver\azz8adyg \Device\Scsi\azz8adyg1Port1Path0Target0Lun0 fffffa800a8c72c0 Device \FileSystem\Ntfs \Ntfs fffffa80073502c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800a87d2c0 Device \Driver\iaStorA \Device\00000070 fffffa800734c2c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa800734c2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80097a52c0 Device \Driver\cdrom \Device\CdRom1 fffffa80097a52c0 Device \Driver\cdrom \Device\CdRom2 fffffa80097a52c0 Device \Driver\dtsoftbus01 \Device\00000075 fffffa80098a12c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800a87d2c0 Device \Driver\iaStorA \Device\00000071 fffffa800734c2c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80098a12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9EF19381-171C-41E1-97FF-DC6892749871} fffffa800a2422c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800a87d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800a2422c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa800734c2c0 Device \Driver\azz8adyg \Device\ScsiPort1 fffffa800a8c72c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800a87d2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\azz8adyg.SYS fffff88009776000-fffff880097c7000 (331776 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEC 0x30 0x3D 0x4E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0xAD 0x29 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x92 0xF1 0x94 0x8A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEC 0x30 0x3D 0x4E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0xAD 0x29 0xC9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x92 0xF1 0x94 0x8A ... ---- EOF - GMER 2.1 ----