GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-01 17:18:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 KINGSTON_SH103S3120G rev.0953 111,79GB Running: 77pm27v1.exe; Driver: C:\Users\tomicher\AppData\Local\Temp\pfrdrkod.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075141401 2 bytes JMP 7666b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075141419 2 bytes JMP 7666b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075141431 2 bytes JMP 766e9011 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007514144a 2 bytes CALL 766448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751414dd 2 bytes JMP 766e890a C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751414f5 2 bytes JMP 766e8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007514150d 2 bytes JMP 766e8800 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075141525 2 bytes JMP 766e8bca C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007514153d 2 bytes JMP 7665fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075141555 2 bytes JMP 76666907 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007514156d 2 bytes JMP 766e90c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075141585 2 bytes JMP 766e8c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007514159d 2 bytes JMP 766e87c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751415b5 2 bytes JMP 7665fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751415cd 2 bytes JMP 7666b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751416b2 2 bytes JMP 766e8f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751416bd 2 bytes JMP 766e8759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17 0000000075141401 2 bytes JMP 7666b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17 0000000075141419 2 bytes JMP 7666b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17 0000000075141431 2 bytes JMP 766e9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42 000000007514144a 2 bytes CALL 766448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17 00000000751414dd 2 bytes JMP 766e890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17 00000000751414f5 2 bytes JMP 766e8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17 000000007514150d 2 bytes JMP 766e8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075141525 2 bytes JMP 766e8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17 000000007514153d 2 bytes JMP 7665fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17 0000000075141555 2 bytes JMP 76666907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17 000000007514156d 2 bytes JMP 766e90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17 0000000075141585 2 bytes JMP 766e8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17 000000007514159d 2 bytes JMP 766e87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17 00000000751415b5 2 bytes JMP 7665fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17 00000000751415cd 2 bytes JMP 7666b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20 00000000751416b2 2 bytes JMP 766e8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2840] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31 00000000751416bd 2 bytes JMP 766e8759 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075141401 2 bytes JMP 7666b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075141419 2 bytes JMP 7666b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075141431 2 bytes JMP 766e9011 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007514144a 2 bytes CALL 766448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751414dd 2 bytes JMP 766e890a C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751414f5 2 bytes JMP 766e8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007514150d 2 bytes JMP 766e8800 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075141525 2 bytes JMP 766e8bca C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007514153d 2 bytes JMP 7665fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075141555 2 bytes JMP 76666907 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007514156d 2 bytes JMP 766e90c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075141585 2 bytes JMP 766e8c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007514159d 2 bytes JMP 766e87c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751415b5 2 bytes JMP 7665fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751415cd 2 bytes JMP 7666b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751416b2 2 bytes JMP 766e8f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751416bd 2 bytes JMP 766e8759 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075141401 2 bytes JMP 7666b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075141419 2 bytes JMP 7666b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075141431 2 bytes JMP 766e9011 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007514144a 2 bytes CALL 766448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751414dd 2 bytes JMP 766e890a C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751414f5 2 bytes JMP 766e8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007514150d 2 bytes JMP 766e8800 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075141525 2 bytes JMP 766e8bca C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007514153d 2 bytes JMP 7665fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075141555 2 bytes JMP 76666907 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007514156d 2 bytes JMP 766e90c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075141585 2 bytes JMP 766e8c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007514159d 2 bytes JMP 766e87c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751415b5 2 bytes JMP 7665fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751415cd 2 bytes JMP 7666b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751416b2 2 bytes JMP 766e8f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\tomicher\AppData\Roaming\Spotify\Spotify.exe[2808] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751416bd 2 bytes JMP 766e8759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Magic Mouse Utilities\MagicMouseUtilities.exe[3312] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007770000c 1 byte [C3] .text C:\Program Files (x86)\Magic Mouse Utilities\MagicMouseUtilities.exe[3312] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007778fbaa 5 bytes JMP 0000000177749c63 .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075141401 2 bytes JMP 7666b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075141419 2 bytes JMP 7666b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075141431 2 bytes JMP 766e9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007514144a 2 bytes CALL 766448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751414dd 2 bytes JMP 766e890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751414f5 2 bytes JMP 766e8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007514150d 2 bytes JMP 766e8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075141525 2 bytes JMP 766e8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007514153d 2 bytes JMP 7665fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075141555 2 bytes JMP 76666907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007514156d 2 bytes JMP 766e90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075141585 2 bytes JMP 766e8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007514159d 2 bytes JMP 766e87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751415b5 2 bytes JMP 7665fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751415cd 2 bytes JMP 7666b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751416b2 2 bytes JMP 766e8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe[3664] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751416bd 2 bytes JMP 766e8759 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001007e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001007c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001008654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001008a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010088ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800638d2c0 Device \Driver\atapi \Device\Ide\IdePort4 fffffa800638d2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800638d2c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa800638d2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800638d2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa800638d2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-9 fffffa800638d2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 fffffa800638d2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa800638d2c0 Device \Driver\apk5jlm2 \Device\Scsi\apk5jlm21 fffffa8006e772c0 Device \Driver\apk5jlm2 \Device\Scsi\apk5jlm21Port6Path0Target0Lun0 fffffa8006e772c0 Device \FileSystem\Ntfs \Ntfs fffffa80063912c0 Device \FileSystem\fastfat \Fat fffffa80081692c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa8006dda2c0 Device \Driver\USBSTOR \Device\00000078 fffffa80071452c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa8006dba2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8006dda2c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8006dba2c0 Device \Driver\USBSTOR \Device\00000074 fffffa80071452c0 Device \Driver\cdrom \Device\CdRom0 fffffa8006bd52c0 Device \Driver\cdrom \Device\CdRom1 fffffa8006bd52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{8BF5A442-65E9-479E-B892-498050F6F8AE} fffffa8006bfd2c0 Device \Driver\cdrom \Device\CdRom2 fffffa8006bd52c0 Device \Driver\dtsoftbus01 \Device\00000065 fffffa8006b3c2c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa8006dba2c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa8006dba2c0 Device \Driver\USBSTOR \Device\00000075 fffffa80071452c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8006dba2c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa8006dba2c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8006b3c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D8E02A64-5BAF-4807-80C1-DC532C0CE626} fffffa8006bfd2c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa8006dda2c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa8006dba2c0 Device \Driver\USBSTOR \Device\00000076 fffffa80071452c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8006dda2c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8006dba2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8006bfd2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2AC81CD2-9270-4917-91FB-2F50E186AB5B} fffffa8006bfd2c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa8006dba2c0 Device \Driver\USBSTOR \Device\00000077 fffffa80071452c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa8006dba2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800638d2c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa8006dba2c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8006dba2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800638d2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa800638d2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa800638d2c0 Device \Driver\atapi \Device\ScsiPort4 fffffa800638d2c0 Device \Driver\atapi \Device\ScsiPort5 fffffa800638d2c0 Device \Driver\apk5jlm2 \Device\ScsiPort6 fffffa8006e772c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800638d2c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa800638d2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006aab790] fffffa8006aab790 Trace 3 CLASSPNP.SYS[fffff880013cd43f] -> nt!IofCallDriver -> [0xfffffa8006844670] fffffa8006844670 Trace 5 ACPI.sys[fffff8800112c7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8006858060] fffffa8006858060 Trace \Driver\atapi[0xfffffa8006838060] -> IRP_MJ_CREATE -> 0xfffffa800638d2c0 fffffa800638d2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\apk5jlm2.SYS fffff8800739f000-fffff880073f0000 (331776 bytes) ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6062B6C3-2B17-4B7C-983D-0F433FE62E40}\offreg.792.dll (*** suspicious ***) @ C:\Program Files\Microsoft Security Client\MsMpEng.exe [792](2016-02-01 14:00:30) 000007fef9690000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001986000a4b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001986000a4b@001f5bf9d50d 0x7F 0x5F 0xA1 0xD2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001986000a4b@78ca39f760f3 0x7F 0xBA 0xB5 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD7 0x43 0x98 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x17 0xBB 0x3D 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x01 0x74 0x65 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB1 0x25 0xC7 0xB6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001986000a4b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001986000a4b@001f5bf9d50d 0x7F 0x5F 0xA1 0xD2 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001986000a4b@78ca39f760f3 0x7F 0xBA 0xB5 0x53 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xD7 0x43 0x98 0x66 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x17 0xBB 0x3D 0x93 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x01 0x74 0x65 0x96 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB1 0x25 0xC7 0xB6 ... ---- Files - GMER 2.1 ---- File C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-7bd564d1.exe (size mismatch) 11403264/0 bytes executable ---- EOF - GMER 2.1 ----