GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-27 18:12:47 Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM012_HN-M500MBB rev.2AR10002 465,76GB Running: 285zf4vg.exe; Driver: C:\Users\ALEKSA~1\AppData\Local\Temp\pxldypob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\PCIIDEX.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa8004a6c470] [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [fffffa60008d9da8] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffffa60008d9e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffffa60008d9c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffffa60008da614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffffa60008daa10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffffa60008da86c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa8004a54470] [unknown section] IAT C:\Windows\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa8006105470] [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8004a702c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8004a702c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort1 fffffa8004a702c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort2 fffffa8004a702c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 fffffa8004a702c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort3 fffffa8004a702c0 Device \FileSystem\Ntfs \Ntfs fffffa8004a722c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa80061802c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa800618c2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80061802c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa800618c2c0 Device \Driver\iScsiPrt \Device\RaidPort0 fffffa800635d2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80062082c0 Device \Driver\netbt \Device\NetBT_Tcpip_{6CE9E9E4-F5AB-40E2-87E9-45519ADCF4CE} fffffa80070942c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa800618c2c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa800618c2c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa800618c2c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa800618c2c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa80061802c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa800618c2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80061802c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa800618c2c0 Device \Driver\USBSTOR \Device\0000006d fffffa80073ca2c0 Device \Driver\netbt \Device\NetBt_Wins_Export fffffa80070942c0 Device \Driver\netbt \Device\NetBT_Tcpip_{BF43EB28-6736-43D5-B2E2-096AE8DBC0B3} fffffa80070942c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa800618c2c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa800618c2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8004a702c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa800618c2c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa800618c2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8004a702c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8004a702c0 Device \Driver\Smb \Device\NetbiosSmb fffffa80073502c0 Device \Driver\atapi \Device\ScsiPort3 fffffa8004a702c0 Device \Driver\iScsiPrt \Device\ScsiPort4 fffffa800635d2c0 Device \Driver\USBSTOR \Device\0000006e fffffa80073ca2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8004a702c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa8004a702c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005dda790] fffffa8005dda790 Trace 3 CLASSPNP.SYS[fffffa6000d34c33] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004bba060] fffffa8004bba060 Trace \Driver\atapi[0xfffffa8004ba88f0] -> IRP_MJ_CREATE -> 0xfffffa8004a702c0 fffffa8004a702c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x68 0x58 0x15 0xEE ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x68 0x58 0x15 0xEE ... ---- EOF - GMER 2.1 ----