GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-05-26 19:37:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: q2tvhbsr.exe; Driver: C:\Users\Piter\AppData\Local\Temp\kgloapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[2880] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000747f17fa 2 bytes CALL 76b311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2880] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000747f1860 2 bytes CALL 76b311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2880] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000747f1942 2 bytes JMP 76c57089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2880] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000747f194d 2 bytes JMP 76c5cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007721fc80 5 bytes JMP 000000010039012a .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007721fcb0 5 bytes JMP 0000000100390bc2 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007721fe14 5 bytes JMP 0000000100390048 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory 000000007721fe90 5 bytes JMP 0000000100390e68 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007721fea8 5 bytes JMP 0000000100390594 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007721ff24 5 bytes JMP 0000000100390f4a .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077220004 5 bytes JMP 0000000100390758 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077220038 5 bytes JMP 0000000100390ca4 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077220068 5 bytes JMP 0000000100390d86 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077220084 5 bytes JMP 0000000100020050 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread 00000000772202e8 5 bytes JMP 000000010039020c .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007722079c 5 bytes JMP 00000001003903d0 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007722088c 5 bytes JMP 00000001003909fe .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772208a4 2 bytes JMP 000000010039091c .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 3 00000000772208a7 2 bytes [17, 89] .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077220df4 5 bytes JMP 0000000100390676 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx 00000000772215d4 5 bytes JMP 00000001003902ee .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077221920 5 bytes JMP 000000010039083a .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077221be4 5 bytes JMP 0000000100390ae0 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077221d70 5 bytes JMP 00000001003904b2 .text C:\Windows\System32\rpcnetp.exe[2908] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075e115ea 7 bytes JMP 00000001003a0930 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007721fc80 5 bytes JMP 00000001002a012a .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007721fcb0 5 bytes JMP 00000001002a0bc2 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007721fe14 5 bytes JMP 00000001002a0048 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory 000000007721fe90 5 bytes JMP 00000001002a0e68 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007721fea8 5 bytes JMP 00000001002a0594 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread 000000007721ff24 5 bytes JMP 00000001002a0f4a .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077220004 5 bytes JMP 00000001002a0758 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077220038 5 bytes JMP 00000001002a0ca4 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077220068 5 bytes JMP 00000001002a0d86 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077220084 5 bytes JMP 0000000100020050 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread 00000000772202e8 5 bytes JMP 00000001002a020c .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007722079c 5 bytes JMP 00000001002a03d0 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007722088c 5 bytes JMP 00000001002a09fe .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000772208a4 2 bytes JMP 00000001002a091c .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 3 00000000772208a7 2 bytes [08, 89] .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077220df4 5 bytes JMP 00000001002a0676 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx 00000000772215d4 5 bytes JMP 00000001002a02ee .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077221920 5 bytes JMP 00000001002a083a .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077221be4 5 bytes JMP 00000001002a0ae0 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077221d70 5 bytes JMP 00000001002a04b2 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007609524f 7 bytes JMP 00000001002b03d8 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000760953d0 7 bytes JMP 00000001002b0684 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076095677 7 bytes JMP 00000001002b04bc .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007609589a 7 bytes JMP 00000001002b012c .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076095a1d 7 bytes JMP 00000001002b084c .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076095c9b 7 bytes JMP 00000001002b05a0 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076095d87 7 bytes JMP 00000001002b0768 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076097240 7 bytes JMP 00000001002b02f4 .text C:\Users\Piter\Desktop\q2tvhbsr.exe[3692] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000075e115ea 7 bytes JMP 00000001002b0930 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b5e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b5c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b6614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b6a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b686c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\JMCR \Device\Scsi\JMCR3Port3Path0TargetffLun0 fffffa8003b6a2c0 Device \Driver\JMCR \Device\Scsi\JMCR2Port2Path0TargetffLun0 fffffa8003b6a2c0 Device \Driver\JMCR \Device\Scsi\JMCR4Port4Path0TargetffLun0 fffffa8003b6a2c0 Device \Driver\JMCR \Device\Scsi\JMCR1Port1Path0TargetffLun0 fffffa8003b6a2c0 Device \Driver\alifizhm \Device\Scsi\alifizhm1 fffffa80085c12c0 Device \FileSystem\Ntfs \Ntfs fffffa80044af2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{DFE92520-E91B-4294-B60A-5827CBB41527} fffffa8006d222c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80084a32c0 Device \Driver\cdrom \Device\CdRom0 fffffa8006c432c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{728D0897-8147-4E74-A9FB-B695E584A387} fffffa8006d222c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80084a32c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80086732c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{49B0B34D-E562-463E-8FB1-318853C2209C} fffffa8006d222c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80084a32c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8006d222c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80084a32c0 Device \Driver\alifizhm \Device\ScsiPort5 fffffa80085c12c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\alifizhm.SYS fffff88000da8000-fffff88000df9000 (331776 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x31 0x4D 0x24 0x36 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x93 0x75 0xAF 0x92 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF4 0x12 0x1A 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x31 0x4D 0x24 0x36 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x93 0x75 0xAF 0x92 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF4 0x12 0x1A 0xB8 ... ---- Files - GMER 2.1 ---- File C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\NCW\ncwmrc.db-journal 0 bytes ---- EOF - GMER 2.1 ----