GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-14 06:42:46 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543232L9A300 rev.FB4OC40C 298,09GB Running: v9cdhip1.exe; Driver: C:\Users\Gosia\AppData\Local\Temp\kwddqkob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4772] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075c01465 2 bytes [C0, 75] .text C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe[4772] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075c014bb 2 bytes [C0, 75] .text ... * 2 .text C:\Program Files (x86)\SpeedFan\speedfan.exe[4696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075c01465 2 bytes [C0, 75] .text C:\Program Files (x86)\SpeedFan\speedfan.exe[4696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075c014bb 2 bytes [C0, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001037e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001037c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001038614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001038a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800103886c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\ataport.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa800369a840] [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80036a62c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80036a62c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80036a62c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 fffffa80036a62c0 Device \Driver\arhiaz9k \Device\Scsi\arhiaz9k1 fffffa8004d032c0 Device \FileSystem\Ntfs \Ntfs fffffa80036ae2c0 Device \FileSystem\fastfat \Fat fffffa8009bc32c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6EC71499-D6E7-40BD-B179-D4E4ECB31356} fffffa80049cb2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004aa92c0 Device \Driver\cdrom \Device\CdRom0 fffffa80045f72c0 Device \Driver\cdrom \Device\CdRom1 fffffa80045f72c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004a952c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80047b62c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B676B284-FC60-4DB5-820D-9400C8D39B22} fffffa80049cb2c0 Device \Driver\dtsoftbus01 \Device\00000076 fffffa80047b62c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004aa92c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80049cb2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9868E254-926D-4760-94CE-19D612381138} fffffa80049cb2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80036a62c0 Device \Driver\StarPortLite \Device\StarPortLite fffffa8004a052c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80036a62c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004a952c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B4C543F4-9F9B-4FA1-A472-E9AA4EC177AE} fffffa80049cb2c0 Device \Driver\StarPortLite \Device\ScsiPort2 fffffa8004a052c0 Device \Driver\arhiaz9k \Device\ScsiPort3 fffffa8004d032c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80036a62c0]<< sptd.sys ataport.SYS pciide.sys fffffa80036a62c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045e5060] fffffa80045e5060 Trace 3 CLASSPNP.SYS[fffff88001aa243f] -> nt!IofCallDriver -> [0xfffffa8004466350] fffffa8004466350 Trace 5 ACPI.sys[fffff8800115e781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004484060] fffffa8004484060 Trace \Driver\atapi[0xfffffa8004466730] -> IRP_MJ_CREATE -> 0xfffffa80036a62c0 fffffa80036a62c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\arhiaz9k.SYS fffff88006b99000-fffff88006bea000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1044:1652] 000007fefab159a0 Thread C:\Windows\System32\svchost.exe [1044:1896] 000007fefdb31a70 Thread C:\Windows\System32\svchost.exe [1044:2116] 000007fef67920c0 Thread C:\Windows\System32\svchost.exe [1044:3012] 000007fef67926a8 Thread C:\Windows\System32\svchost.exe [1044:2736] 000007fef67929dc Thread C:\Windows\System32\svchost.exe [1044:4360] 000007fef7a37750 Thread C:\Windows\System32\svchost.exe [1044:4480] 000007fef2933e98 Thread C:\Windows\System32\svchost.exe [1044:4604] 000007fef2978a4c Thread C:\Windows\System32\svchost.exe [1044:552] 000007fef80a88f8 Thread C:\Windows\System32\spoolsv.exe [1940:2380] 000007fef6b610c8 Thread C:\Windows\System32\spoolsv.exe [1940:2592] 000007fef6b26144 Thread C:\Windows\System32\spoolsv.exe [1940:2604] 000007fef68d5fd0 Thread C:\Windows\System32\spoolsv.exe [1940:2600] 000007fef68c3438 Thread C:\Windows\System32\spoolsv.exe [1940:2664] 000007fef68d63ec Thread C:\Windows\System32\spoolsv.exe [1940:2416] 000007fef6bf5e5c Thread C:\Windows\System32\spoolsv.exe [1940:2420] 000007fef6c2484c Thread C:\Windows\System32\spoolsv.exe [1940:3420] 000007fef6c9215c Thread C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe [1996:4372] 000000007237b684 Thread C:\Windows\System32\svchost.exe [1736:4232] 000007fef4c3fdf0 Thread C:\Windows\System32\svchost.exe [1736:4184] 000007fef7ee9874 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4448:2892] 0000000075c17587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4448:5188] 0000000063b60cb3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4448:5992] 0000000077e92e3e Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4448:3160] 0000000077e93e59 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4448:5812] 0000000077e93e59 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4448:4796] 0000000077e93e59 ---- Processes - GMER 2.1 ---- Library C:\Users\Gosia\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1884] (GG drive menu/GG Network S.A.)(201 000000005ff80000 Library C:\Users\Gosia\AppData\Local\Temp\sfareca00001.dll (*** suspicious ***) @ C:\Program Files (x86)\SpeedFan\speedfan.exe [4696](2016-01-1 00000000621f0000 Library C:\Users\Gosia\AppData\Local\Temp\sfamcc00001.dll (*** suspicious ***) @ C:\Program Files (x86)\SpeedFan\speedfan.exe [4696](2016-01-07 0000000010000000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x85 0x9A 0xE2 0x95 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x22 0xDA 0x54 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x42 0x6A 0xB4 0xF3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x50 0x64 0x3D 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x85 0x9A 0xE2 0x95 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x22 0xDA 0x54 0x7F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x42 0x6A 0xB4 0xF3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x50 0x64 0x3D 0x93 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) ---- EOF - GMER 2.1 ----