GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-29 20:43:58 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_SP1203N rev.TL100-30 111,82GB Running: iq27dnit.exe; Driver: C:\Users\Grzesiek\AppData\Local\Temp\kxddrkow.sys ---- Kernel code sections - GMER 2.1 ---- PAGE C:\Windows\system32\DRIVERS\ataport.SYS!DllUnload fffff88000feb4a0 12 bytes {MOV RAX, 0xfffffa80027da2a0; JMP RAX} .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88003f22c34 12 bytes {MOV RAX, 0xfffffa80032d52a0; JMP RAX} ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff8800106d650] \SystemRoot\System32\Drivers\spuw.sys [unknown section] IAT C:\Windows\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800106d5dc] \SystemRoot\System32\Drivers\spuw.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800103835c] \SystemRoot\System32\Drivers\spuw.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001038224] \SystemRoot\System32\Drivers\spuw.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001038a24] \SystemRoot\System32\Drivers\spuw.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001038ba0] \SystemRoot\System32\Drivers\spuw.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80027e22c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80027e22c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 fffffa80027e22c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80027e22c0 Device \Driver\VClone \Device\Scsi\VClone1Port4Path0Target0Lun0 fffffa800339b2c0 Device \Driver\VClone \Device\Scsi\VClone1 fffffa800339b2c0 Device \FileSystem\Ntfs \Ntfs fffffa80027ea2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80032fc2c0 Device \Driver\nvstor64 \Device\RaidPort0 fffffa80027e62c0 Device \Driver\cdrom \Device\CdRom0 fffffa80030af2c0 Device \Driver\nvstor64 \Device\RaidPort1 fffffa80027e62c0 Device \Driver\cdrom \Device\CdRom1 fffffa80030af2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1B30AC58-421C-4F6B-AACB-74E220199ADC} fffffa80032922c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80032f22c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80032fc2c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80027de2c0 Device \Driver\volmgr \Device\FtControl fffffa80027de2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80027de2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80027de2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80027de2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80032922c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80027e22c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80032f22c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80027e22c0 Device \Driver\nvstor64 \Device\ScsiPort2 fffffa80027e62c0 Device \Driver\nvstor64 \Device\ScsiPort3 fffffa80027e62c0 Device \Driver\VClone \Device\ScsiPort4 fffffa800339b2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80027e22c0]<< spuw.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80027e22c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003034060] fffffa8003034060 Trace 3 CLASSPNP.SYS[fffff88001ad443f] -> nt!IofCallDriver -> [0xfffffa80028b62c0] fffffa80028b62c0 Trace 5 ACPI.sys[fffff88001174781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80028be680] fffffa80028be680 Trace \Driver\atapi[0xfffffa80028b66a0] -> IRP_MJ_CREATE -> 0xfffffa80027e22c0 fffffa80027e22c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0xE3 0x26 0x45 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0xE3 0x26 0x45 ... ---- EOF - GMER 2.1 ----