GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-11 13:25:51 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HTS542516K9SA00 rev.BBCOC31P 149,05GB Running: ht45ofdr.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\kwddykog.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1579 82E45F15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E80232 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x88D4D60C] ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs 84E551F8 Device \FileSystem\udfs \UdfsCdRom 876591F8 Device \FileSystem\udfs \UdfsDisk 876591F8 Device \Driver\usbuhci \Device\USBPDO-0 85F991F8 Device \Driver\usbuhci \Device\USBPDO-1 85F991F8 Device \Driver\usbehci \Device\USBPDO-2 85F85440 Device \Driver\usbuhci \Device\USBPDO-3 85F991F8 Device \Driver\usbuhci \Device\USBPDO-4 85F991F8 Device \Driver\usbuhci \Device\USBPDO-5 85F991F8 Device \Driver\usbehci \Device\USBPDO-6 85F85440 Device \Driver\cdrom \Device\CdRom0 85E651F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84E521F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 84E521F8 Device \Driver\atapi \Device\Ide\IdePort0 84E521F8 Device \Driver\atapi \Device\Ide\IdePort1 84E521F8 Device \Driver\atapi \Device\Ide\IdePort2 84E521F8 Device \Driver\atapi \Device\Ide\IdePort3 84E521F8 Device \Driver\atapi \Device\Ide\IdePort4 84E521F8 Device \Driver\msahci \Device\Ide\PciIde1Channel0 84E531F8 Device \Driver\msahci \Device\Ide\PciIde1Channel1 84E531F8 Device \Driver\msahci \Device\Ide\PciIde1Channel2 84E531F8 Device \Driver\cdrom \Device\CdRom1 85E651F8 Device \Driver\cdrom \Device\CdRom2 85E651F8 Device \Driver\cdrom \Device\CdRom3 85E651F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{7626F0B2-A199-4BE9-B53C-D8A41929F739} 85F4D1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 85F4D1F8 Device \Driver\dtlitescsibus \Device\00000078 861A8440 Device \Driver\dtlitescsibus \Device\00000079 861A8440 Device \Driver\usbuhci \Device\USBFDO-0 85F991F8 Device \Driver\dtlitescsibus \Device\0000007a 861A8440 Device \Driver\usbuhci \Device\USBFDO-1 85F991F8 Device \Driver\usbehci \Device\USBFDO-2 85F85440 Device \Driver\usbuhci \Device\USBFDO-3 85F991F8 Device \Driver\usbuhci \Device\USBFDO-4 85F991F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{C63F2A9D-A811-4FE5-BB3E-88DAB6368EBD} 85F4D1F8 Device \Driver\usbuhci \Device\USBFDO-5 85F991F8 Device \Driver\usbehci \Device\USBFDO-6 85F85440 Device \FileSystem\cdfs \Cdfs 876221F8 ---- Trace I/O - GMER 2.2 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x84e521f8]<< 84e521f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85cde1b8] 85cde1b8 Trace 3 CLASSPNP.SYS[893ae59e] -> nt!IofCallDriver -> [0x85be7c10] 85be7c10 Trace 5 ACPI.sys[88da13d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x85bdb030] 85bdb030 Trace \Driver\atapi[0x85bcfdb8] -> IRP_MJ_CREATE -> 0x84e521f8 84e521f8 ---- Threads - GMER 2.2 ---- Thread System [4:2708] ABD02F2E ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFB 0x16 0xC4 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0x98 0x72 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFB 0x16 0xC4 0x3E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0x98 0x72 0xE3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@721F97F7 997 ---- EOF - GMER 2.2 ----