GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-31 18:19:21 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GN00 465,76GB Running: rjbozp37.exe; Driver: C:\Users\Jacek\AppData\Local\Temp\kwddykog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880065c1c34 12 bytes {MOV RAX, 0xfffffa80091382a0; JMP RAX} ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001070f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001070cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107169c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001071a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010718f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80057b72c0 Device \FileSystem\fastfat \Fat fffffa8008e532c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800913a2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8008c372c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{51E4C9D1-54DB-4184-B2CF-136A451E7EDD} fffffa8008c3a2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800913a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D15AA5E3-DC2E-4CBE-9617-795AD1E9F297} fffffa8008c3a2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800913a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{74822022-3106-4693-B4D7-8C43A9BCFFCE} fffffa8008c3a2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8008c3a2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800913a2c0 ---- Processes - GMER 2.1 ---- Library C:\Windows\KMService.exe (*** suspicious ***) @ C:\Windows\KMService.exe [3300] 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???&l ??????Mi?????&?&???&???????????????>??????????????????????????????????????????????????????????????????????????????????????????? H??& ?????????????H?????????????????????????????????????????*??&???;????????s?????\??\C:\pagefile.sys?????? ?????????????&???????0????????????????????? ???????&???????????&?0?????????????????????????????????????????????&??????? ?????????????&??????????H?????????$????????????????????&??? ???????&???????????&????????????sy$???????????????????-1?????&?????????????t???????e???????????&???????????&?&????? ???????????????????&??????????????$???????????????????%\???????????i???????l??? ???????????????????&??????????????$????????????????????????????????&???????????&??? ???????????????????&????????????z?$???????????????????st???????????t???????i???&??? ???????????????????&??????????????$????????????????????????????????????????????&??????????????????????????????????????????? ?,?~??%SystemRoot%\System32\iologmsg.dll;%SystemRoot%\System32\drivers\evbda.sys??????????????????????????netevbd Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68e5df2d Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\Daemon Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68e5df2d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\Daemon Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... ---- EOF - GMER 2.1 ----