GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-23 05:43:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000067 ST950032 rev.0011 465.76GB Running: 7r2hdftk.exe; Driver: C:\Users\Media\AppData\Local\Temp\pwrdikob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031ee000 45 bytes [00, 00, 16, 02, 4E, 74, 66, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031ee02f 10 bytes [00, 01, 00, 06, 00, 00, 00, ...] .text C:\windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88003f7bd8c 12 bytes {MOV RAX, 0xfffffa80048bc2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\ipla\ipla.exe[2516] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Program Files (x86)\ipla\ipla.exe[2516] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2580] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2580] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2580] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000725311a8 2 bytes [53, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2580] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000725313a8 2 bytes [53, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2580] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000072531422 2 bytes [53, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2580] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000072531498 2 bytes [53, 72] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2684] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2684] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4232] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[4232] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 .text C:\Program Files (x86)\Canon\Quick Menu\CNQMSWCS.exe[4744] C:\windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Program Files (x86)\Canon\Quick Menu\CNQMSWCS.exe[4744] C:\windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 .text C:\Users\Media\Desktop\Nowy folder\OTL.exe[3612] C:\windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Users\Media\Desktop\Nowy folder\OTL.exe[3612] C:\windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010a5650] \SystemRoot\System32\Drivers\spcq.sys [unknown section] IAT C:\windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010a55dc] \SystemRoot\System32\Drivers\spcq.sys [unknown section] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800107035c] \SystemRoot\System32\Drivers\spcq.sys [unknown section] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001070224] \SystemRoot\System32\Drivers\spcq.sys [unknown section] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001070a24] \SystemRoot\System32\Drivers\spcq.sys [unknown section] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001070ba0] \SystemRoot\System32\Drivers\spcq.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\aj1pazv8 \Device\Scsi\aj1pazv81 fffffa80049612c0 Device \Driver\aj1pazv8 \Device\Scsi\aj1pazv81Port1Path0Target0Lun0 fffffa80049612c0 Device \FileSystem\Ntfs \Ntfs fffffa8003f232c0 Device \Driver\amd_sata \Device\00000068 fffffa8003f1d2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80044242c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80044242c0 Device \Driver\amd_sata \Device\RaidPort0 fffffa8003f1d2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80045152c0 Device \Driver\cdrom \Device\CdRom1 fffffa80045152c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80044222c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa80044222c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{905CCFFD-4650-433D-AE71-E9C5E643BE30} fffffa80042e12c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80044242c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80044242c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa8003f152c0 Device \Driver\volmgr \Device\FtControl fffffa8003f152c0 Device \Driver\volmgr \Device\VolMgrControl fffffa8003f152c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa8003f152c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A4985844-2997-4C4F-A751-C9F40FB97E83} fffffa80042e12c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa8003f152c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa8003f152c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80042e12c0 Device \Driver\amd_sata \Device\00000067 fffffa8003f1d2c0 Device \Driver\amd_sata \Device\ScsiPort0 fffffa8003f1d2c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa80044222c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80044222c0 Device \Driver\aj1pazv8 \Device\ScsiPort1 fffffa80049612c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2650A464-AF66-4D21-AAEC-E6A34362543A} fffffa80042e12c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8003f1f2c0]<< spcq.sys amd_xata.sys ACPI.sys storport.sys hal.dll amd_sata.sys fffffa8003f1f2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80041e7060] fffffa80041e7060 Trace 3 CLASSPNP.SYS[fffff88001ad443f] -> nt!IofCallDriver -> [0xfffffa80040916f0] fffffa80040916f0 Trace \Driver\amd_xata[0xfffffa800407fd20] -> IRP_MJ_CREATE -> 0xfffffa8003f1f2c0 fffffa8003f1f2c0 Trace 5 amd_xata.sys[fffff88000dd77a8] -> nt!IofCallDriver -> [0xfffffa8004091e40] fffffa8004091e40 Trace 7 ACPI.sys[fffff880011ac7a1] -> nt!IofCallDriver -> \Device\00000067[0xfffffa800408d420] fffffa800408d420 Trace \Driver\amd_sata[0xfffffa800407ec80] -> IRP_MJ_CREATE -> 0xfffffa8003f1d2c0 fffffa8003f1d2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\aj1pazv8.SYS fffff88005b7e000-fffff88005bc3000 (282624 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4032:3768] 000007fefba12bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4032:3344] 000007feea534830 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2156:3756] 0000000076127587 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2156:3236] 000000005fb37712 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2156:3304] 0000000077802e65 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2156:4624] 0000000077803e85 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2156:5712] 0000000077803e85 Thread C:\windows\System32\svchost.exe [1484:3960] 000007fee9739688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 19921 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 12819 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3E 0x2D 0xCC 0x6F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4F 0xEC 0x92 0x63 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6C 0xD7 0x9C 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2650A464-AF66-4D21-AAEC-E6A34362543A}@LeaseObtainedTime 1411434602 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2650A464-AF66-4D21-AAEC-E6A34362543A}@T1 1411449002 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2650A464-AF66-4D21-AAEC-E6A34362543A}@T2 1411459802 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2650A464-AF66-4D21-AAEC-E6A34362543A}@LeaseTerminatesTime 1411463402 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3E 0x2D 0xCC 0x6F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4F 0xEC 0x92 0x63 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6C 0xD7 0x9C 0x58 ... ---- EOF - GMER 2.1 ----