GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-04 20:31:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: fcbb7i70.exe; Driver: C:\Users\mat\AppData\Local\Temp\uxrirpow.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\system32\mssprxy.dll [2232] entry point in ".rdata" section 00000000748571e6 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000774f1401 2 bytes JMP 76deb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000774f1419 2 bytes JMP 76deb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000774f1431 2 bytes JMP 76e690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000774f144a 2 bytes CALL 76dc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774f14dd 2 bytes JMP 76e689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774f14f5 2 bytes JMP 76e68bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000774f150d 2 bytes JMP 76e688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000774f1525 2 bytes JMP 76e68caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000774f153d 2 bytes JMP 76ddfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000774f1555 2 bytes JMP 76de6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000774f156d 2 bytes JMP 76e691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000774f1585 2 bytes JMP 76e68d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000774f159d 2 bytes JMP 76e688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774f15b5 2 bytes JMP 76ddfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774f15cd 2 bytes JMP 76deb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774f16b2 2 bytes JMP 76e6906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4004] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774f16bd 2 bytes JMP 76e68839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4384] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077365be0 13 bytes {MOV R11, 0x7fef9c41b3c; JMP R11} .text C:\Program Files\Mozilla Firefox\firefox.exe[4384] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077239010 13 bytes {MOV R11, 0x7feed04c864; JMP R11} .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000774f1401 2 bytes JMP 76deb263 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000774f1419 2 bytes JMP 76deb38e C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000774f1431 2 bytes JMP 76e690f1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000774f144a 2 bytes CALL 76dc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774f14dd 2 bytes JMP 76e689ea C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774f14f5 2 bytes JMP 76e68bc0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000774f150d 2 bytes JMP 76e688e0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000774f1525 2 bytes JMP 76e68caa C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000774f153d 2 bytes JMP 76ddfce8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000774f1555 2 bytes JMP 76de6937 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000774f156d 2 bytes JMP 76e691a9 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000774f1585 2 bytes JMP 76e68d0a C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000774f159d 2 bytes JMP 76e688a4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774f15b5 2 bytes JMP 76ddfd81 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774f15cd 2 bytes JMP 76deb324 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774f16b2 2 bytes JMP 76e6906c C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\IwinpI\WFini.exe[3488] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774f16bd 2 bytes JMP 76e68839 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000774f1401 2 bytes JMP 76deb263 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000774f1419 2 bytes JMP 76deb38e C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000774f1431 2 bytes JMP 76e690f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000774f144a 2 bytes CALL 76dc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774f14dd 2 bytes JMP 76e689ea C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774f14f5 2 bytes JMP 76e68bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000774f150d 2 bytes JMP 76e688e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000774f1525 2 bytes JMP 76e68caa C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000774f153d 2 bytes JMP 76ddfce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000774f1555 2 bytes JMP 76de6937 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000774f156d 2 bytes JMP 76e691a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000774f1585 2 bytes JMP 76e68d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000774f159d 2 bytes JMP 76e688a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774f15b5 2 bytes JMP 76ddfd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774f15cd 2 bytes JMP 76deb324 C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774f16b2 2 bytes JMP 76e6906c C:\Windows\syswow64\kernel32.dll .text C:\Users\mat\AppData\Roaming\TSv\TSvr.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774f16bd 2 bytes JMP 76e68839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000774f1401 2 bytes JMP 76deb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000774f1419 2 bytes JMP 76deb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000774f1431 2 bytes JMP 76e690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000774f144a 2 bytes CALL 76dc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774f14dd 2 bytes JMP 76e689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774f14f5 2 bytes JMP 76e68bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000774f150d 2 bytes JMP 76e688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000774f1525 2 bytes JMP 76e68caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000774f153d 2 bytes JMP 76ddfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000774f1555 2 bytes JMP 76de6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000774f156d 2 bytes JMP 76e691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000774f1585 2 bytes JMP 76e68d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000774f159d 2 bytes JMP 76e688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774f15b5 2 bytes JMP 76ddfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774f15cd 2 bytes JMP 76deb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774f16b2 2 bytes JMP 76e6906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[1396] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774f16bd 2 bytes JMP 76e68839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000774f1401 2 bytes JMP 76deb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000774f1419 2 bytes JMP 76deb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000774f1431 2 bytes JMP 76e690f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000774f144a 2 bytes CALL 76dc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774f14dd 2 bytes JMP 76e689ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774f14f5 2 bytes JMP 76e68bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000774f150d 2 bytes JMP 76e688e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000774f1525 2 bytes JMP 76e68caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000774f153d 2 bytes JMP 76ddfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000774f1555 2 bytes JMP 76de6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000774f156d 2 bytes JMP 76e691a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000774f1585 2 bytes JMP 76e68d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000774f159d 2 bytes JMP 76e688a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774f15b5 2 bytes JMP 76ddfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774f15cd 2 bytes JMP 76deb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774f16b2 2 bytes JMP 76e6906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe[1308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774f16bd 2 bytes JMP 76e68839 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001004e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001004c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001005654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001005a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010058ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs fffffa8002cd92c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{FC834D69-EA60-458D-B726-16503617480E} fffffa80035912c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800387e2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80036ea2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800387e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{FADB7CAD-C73A-4FBE-B055-56AFF0FC9BB0} fffffa80035912c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800387e2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80035912c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800387e2c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [988:5024] 000007fef6b44f84 Thread C:\Windows\system32\svchost.exe [988:4896] 000007fef21ad3c8 Thread C:\Windows\system32\svchost.exe [988:4940] 000007fef21ad3c8 Thread C:\Windows\system32\svchost.exe [988:4696] 000007fef21ad3c8 Thread C:\Windows\system32\svchost.exe [988:4892] 000007fef21ad3c8 Thread C:\Windows\system32\svchost.exe [1144:1368] 000007fefcad1a70 Thread C:\Windows\system32\svchost.exe [1144:1404] 000007fefcad1a70 Thread C:\Windows\system32\svchost.exe [1144:1492] 000007fefcad1a70 Thread C:\Windows\system32\svchost.exe [1144:1500] 000007fef9822c70 Thread C:\Windows\system32\svchost.exe [1144:1520] 000007fef982fb40 Thread C:\Windows\system32\svchost.exe [1144:1532] 000007fef9841d20 Thread C:\Windows\system32\svchost.exe [1144:1536] 000007fef982f6f0 Thread C:\Windows\system32\svchost.exe [1144:1904] 000007fef88e35c0 Thread C:\Windows\system32\svchost.exe [1144:2652] 000007fef88e5600 Thread C:\Windows\system32\svchost.exe [1144:2872] 000007fef39c2888 Thread C:\Windows\system32\svchost.exe [1144:4128] 000007fef38b2940 Thread C:\Windows\system32\svchost.exe [1144:5760] 000007fef39c2a40 Thread C:\Windows\System32\spoolsv.exe [1252:1052] 000007fef99b10c8 Thread C:\Windows\System32\spoolsv.exe [1252:1188] 000007fef80b6144 Thread C:\Windows\System32\spoolsv.exe [1252:1204] 000007fef83f5fd0 Thread C:\Windows\System32\spoolsv.exe [1252:1280] 000007fef9993438 Thread C:\Windows\System32\spoolsv.exe [1252:1320] 000007fef83f63ec Thread C:\Windows\System32\spoolsv.exe [1252:1380] 000007fef8195e5c Thread C:\Windows\System32\spoolsv.exe [1252:1352] 000007fef91c5074 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4620:5548] 000007fefb252af4 Thread C:\Windows\System32\svchost.exe [5188:6024] 000007fef04f9688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x19 0x79 0x83 0xE2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCA 0x93 0xA1 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x19 0x79 0x83 0xE2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCA 0x93 0xA1 0x03 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.2 ---- File C:\Users\mat\AppData\Local\Mozilla\Firefox\Profiles\pa20h5m5.default\cache2\entries\6B48F0EB2250B2FB052DAA113D192EBCF2DDC34F 0 bytes File C:\Users\mat\AppData\Local\Mozilla\Firefox\Profiles\pa20h5m5.default\cache2\entries\A8F95AA7EC4ECC461F975E91522B3C7CA7C4A4A8 0 bytes File C:\Users\mat\AppData\Local\Mozilla\Firefox\Profiles\pa20h5m5.default\cache2\entries\B5CDF9507DDECCCFCFED068774AA1625352AF848 0 bytes File C:\Users\mat\AppData\Local\Mozilla\Firefox\Profiles\pa20h5m5.default\cache2\entries\FCC9567AC5F4759DD7B4DFB2C8766D0A4B04A9DD 0 bytes File C:\Users\mat\AppData\Local\Mozilla\Firefox\Profiles\pa20h5m5.default\cache2\entries\D9EAFA5DA6D1D523BF0F2694BCCB622C581B5556 13924 bytes File C:\Users\mat\AppData\Local\Mozilla\Firefox\Profiles\pa20h5m5.default\cache2\entries\E9CC2B13E7AE2789D8BC41737381FAFB9B4BECC1 0 bytes File C:\Users\mat\AppData\Local\Mozilla\Firefox\Profiles\pa20h5m5.default\cache2\entries\E823CAAFFB4289B9CAEB03B0D3997BD93C5B8026 0 bytes File C:\Users\mat\AppData\Local\Mozilla\Firefox\Profiles\pa20h5m5.default\cache2\entries\675DF4187EB24F5B6C5FDD2DD03D7834D1389A82 56340 bytes ---- EOF - GMER 2.2 ----