GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-07 22:37:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.D005DEM1 465,76GB Running: b9s0qsud.exe; Driver: C:\Users\Bartek\AppData\Local\Temp\kwrdipob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88006cb2d8c 12 bytes {MOV RAX, 0xfffffa8003c502a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075fb1465 2 bytes [FB, 75] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[2344] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075fb14bb 2 bytes [FB, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010a2f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010a2cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010a369c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010a3a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010a38f4] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoAcquireRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoWMIRegistrationControl] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!ExFreePoolWithTag] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoWMIWriteEvent] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoRegisterDeviceInterface] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoSetDeviceInterfaceState] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoStartPacket] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoStartTimer] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!RtlInitUnicodeString] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoDeleteDevice] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!KeSetEvent] [f80348078bc87218] [unknown section] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoFreeWorkItem] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!MmGetSystemRoutineAddress] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!KeInitializeEvent] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!RtlQueryRegistryValues] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!RtlInitAnsiString] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!RtlGetVersion] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoDetachDevice] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!PoRequestPowerIrp] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoCancelIrp] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoStopTimer] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoStartNextPacket] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoAllocateWorkItem] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!_vsnwprintf] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!PoStartNextPowerIrp] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!_vsnprintf] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!ZwClose] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IofCompleteRequest] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoInitializeTimer] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoFreeIrp] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoSetCompletionRoutineEx] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!PoCallDriver] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoAllocateIrp] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!RtlCompareMemory] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!ObfReferenceObject] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoSetStartIoAttributes] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoInitializeRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoCreateDevice] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IofCallDriver] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!KeAcquireInStackQueuedSpinLockAtDpcLevel] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!KeReleaseInStackQueuedSpinLock] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoBuildPartialMdl] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoReleaseRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!KeAcquireInStackQueuedSpinLock] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoFreeMdl] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!KeDelayExecutionThread] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoGetSfioStreamIdentifier] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!KeRemoveEntryDeviceQueue] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoQueueWorkItem] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoReleaseCancelSpinLock] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoAcquireCancelSpinLock] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoAllocateMdl] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!ZwEnumerateValueKey] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoGetDeviceInterfaces] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!ZwOpenKey] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!KeBugCheckEx] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!KeWaitForSingleObject] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!NlsMbCodePageTag] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoIs32bitProcess] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!MmProbeAndLockPages] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!MmUnlockPages] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoAllocateSfioStreamIdentifier] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoFreeSfioStreamIdentifier] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!IoGetIoPriorityHint] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!EtwUnregister] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!EtwRegister] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!EtwEventEnabled] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!EtwWrite] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!EtwProviderEnabled] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[ntoskrnl.exe!__C_specific_handler] [?] IAT C:\Windows\System32\Drivers\atc3br1a.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] [?] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8003b232c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003b232c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003b232c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa8003b232c0 Device \Driver\atc3br1a \Device\Scsi\atc3br1a1 fffffa80050712c0 Device \Driver\atc3br1a \Device\Scsi\atc3br1a1Port2Path0Target0Lun0 fffffa80050712c0 Device \FileSystem\Ntfs \Ntfs fffffa8003b2b2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004f402c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{E52A3280-2B89-46E5-B60C-B5870FB89094} fffffa8004edd2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004de42c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004de42c0 Device \Driver\cdrom \Device\CdRom2 fffffa8004de42c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{548D5196-F54C-4036-8DC5-8001AF83FB88} fffffa8004edd2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{5F3A4C8F-4956-456E-9B59-8663C1A4D0E8} fffffa8004edd2c0 Device \Driver\USBSTOR \Device\0000006f fffffa80055972c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8004f402c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8004c652c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004f402c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004edd2c0 Device \Driver\dtsoftbus01 \Device\00000063 fffffa8004c652c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003b232c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8004f402c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003b232c0 Device \Driver\atc3br1a \Device\ScsiPort2 fffffa80050712c0 Device \Driver\USBSTOR \Device\0000006e fffffa80055972c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003b232c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa8003b232c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004ab2060] fffffa8004ab2060 Trace 3 CLASSPNP.SYS[fffff88001acd43f] -> nt!IofCallDriver -> [0xfffffa800492d520] fffffa800492d520 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004929680] fffffa8004929680 Trace \Driver\atapi[0xfffffa80048de570] -> IRP_MJ_CREATE -> 0xfffffa8003b232c0 fffffa8003b232c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\atc3br1a.SYS (USB Mass Storage Class Driver/Microsoft Corporation SIGNED)(2010-11-21 03:23:47) fffff88008263000-fffff880082b4000 (331776 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\642737e4bee8 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0x58 0xB5 0x9E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF1 0x14 0x14 0x2C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9E 0x9B 0x99 0xDD ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\642737e4bee8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6D 0x58 0xB5 0x9E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF1 0x14 0x14 0x2C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9E 0x9B 0x99 0xDD ... ---- EOF - GMER 2.1 ----