GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-22 16:51:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Hitachi_HDS721050CLA362 rev.JP2OA25C 465,76GB Running: 5kiyu7g8.exe; Driver: C:\Users\Bartek\AppData\Local\Temp\kwrdipob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880048a4d8c 12 bytes {MOV RAX, 0xfffffa8006c352a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1432] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754b8791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1432] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1432] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 .text E:\programy\Mbam\Malwarebytes Anti-Malware\mbamscheduler.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text E:\programy\Mbam\Malwarebytes Anti-Malware\mbamscheduler.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 .text E:\programy\Mbam\Malwarebytes Anti-Malware\mbam.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text E:\programy\Mbam\Malwarebytes Anti-Malware\mbam.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2196] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 000000006fdb1a22 2 bytes [DB, 6F] .text C:\Windows\SysWOW64\PnkBstrA.exe[2196] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 000000006fdb1ad0 2 bytes [DB, 6F] .text C:\Windows\SysWOW64\PnkBstrA.exe[2196] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 000000006fdb1b08 2 bytes [DB, 6F] .text C:\Windows\SysWOW64\PnkBstrA.exe[2196] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 000000006fdb1bba 2 bytes [DB, 6F] .text C:\Windows\SysWOW64\PnkBstrA.exe[2196] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 000000006fdb1bda 2 bytes [DB, 6F] .text C:\Windows\SysWOW64\PnkBstrA.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001030f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001030cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800103169c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001031a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010318f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80054c62c0 Device \Driver\atapi \Device\Ide\IdePort4 fffffa80054c62c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80054c62c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80054c62c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80054c62c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80054c62c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80054c62c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80054c62c0 Device \FileSystem\Ntfs \Ntfs fffffa80054ca2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006c932c0 Device \Driver\cdrom \Device\CdRom0 fffffa80066002c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006c932c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{36E92145-DA1D-4B57-9367-80F46E63A535} fffffa80069292c0 Device \Driver\USBSTOR \Device\00000076 fffffa8006fc02c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006c932c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80069292c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80054c62c0 Device \Driver\USBSTOR \Device\00000073 fffffa8006fc02c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006c932c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80054c62c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80054c62c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80054c62c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80054c62c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80054c62c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80054c62c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80054c62c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065bc060] fffffa80065bc060 Trace 3 CLASSPNP.SYS[fffff880013c843f] -> nt!IofCallDriver -> [0xfffffa80062f1520] fffffa80062f1520 Trace 5 ACPI.sys[fffff880011807a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80062f7060] fffffa80062f7060 Trace \Driver\atapi[0xfffffa80062b96a0] -> IRP_MJ_CREATE -> 0xfffffa80054c62c0 fffffa80054c62c0 ---- Processes - GMER 2.1 ---- Library C:\Users\Bartek\AppData\Local\Temp\sfareca00001.dll (*** suspicious ***) @ C:\Program Files (x86)\SpeedFan\speedfan.exe [720](2015-01-2 0000000073550000 Library C:\Users\Bartek\AppData\Local\Temp\sfamcc00001.dll (*** suspicious ***) @ C:\Program Files (x86)\SpeedFan\speedfan.exe [720](2015-01-07 0000000010000000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6E 0x0A 0x6A 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{36E92145-DA1D-4B57-9367-80F46E63A535}@LeaseObtainedTime 1421939724 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{36E92145-DA1D-4B57-9367-80F46E63A535}@T1 1421939991 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{36E92145-DA1D-4B57-9367-80F46E63A535}@T2 1421940216 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{36E92145-DA1D-4B57-9367-80F46E63A535}@LeaseTerminatesTime 1421940324 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6E 0x0A 0x6A 0xA0 ... ---- EOF - GMER 2.1 ----