GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-19 00:45:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_SSD_830_Series rev.CXM03B1Q 119,24GB Running: 1j3s6fen.exe; Driver: C:\Users\bieniu\AppData\Local\Temp\axliipob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80002fbd000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff80002fbd02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff88000c6c4a0 12 bytes {MOV RAX, 0xfffffa800c7092a0; JMP RAX} .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88005946d64 12 bytes {MOV RAX, 0xfffffa800dc472a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\rundll32.exe[2716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 000000006f4813c6 2 bytes [48, 6F] .text C:\Windows\SysWOW64\rundll32.exe[2716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 000000006f4813f6 2 bytes [48, 6F] .text C:\Windows\SysWOW64\rundll32.exe[2716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 000000006f4814ad 2 bytes [48, 6F] .text C:\Windows\SysWOW64\rundll32.exe[2716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 000000006f4814db 2 bytes [48, 6F] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[2716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 000000006f481577 2 bytes [48, 6F] .text C:\Windows\SysWOW64\rundll32.exe[2716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 000000006f4815d7 2 bytes [48, 6F] .text C:\Windows\SysWOW64\rundll32.exe[2716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 000000006f481794 2 bytes [48, 6F] .text C:\Windows\SysWOW64\rundll32.exe[2716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 000000006f4818c1 2 bytes [48, 6F] .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e71465 2 bytes [E7, 76] .text C:\Program Files (x86)\uTorrent\uTorrent.exe[2656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e714bb 2 bytes [E7, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e71465 2 bytes [E7, 76] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3120] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e714bb 2 bytes [E7, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e71465 2 bytes [E7, 76] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e714bb 2 bytes [E7, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e71465 2 bytes [E7, 76] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e714bb 2 bytes [E7, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e71465 2 bytes [E7, 76] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1068] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e714bb 2 bytes [E7, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b3f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b3cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b469c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b4a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b48f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdePort4 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-5 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-4 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdePort6 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdePort7 fffffa800d0db2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa800d0db2c0 Device \FileSystem\Ntfs \Ntfs fffffa800d0e52c0 Device \FileSystem\fastfat \Fat fffffa800ebd52c0 Device \Driver\atapi \Device\ScsiPort7 fffffa800d0db2c0 Device \Driver\atapi \Device\Dev_fffffa800d641060 fffffa800ca40880 Device \Driver\usbehci \Device\USBPDO-1 fffffa800dc492c0 Device \Driver\USBSTOR \Device\00000098 fffffa800ca8e2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800da482c0 Device \Driver\atapi \Device\Dev_fffffa800d6001f0 fffffa800ca40880 Device \Driver\atapi \Device\Dev_fffffa800d646060 fffffa800ca40880 Device \Driver\usbehci \Device\USBFDO-0 fffffa800dc492c0 Device \Driver\USBSTOR \Device\00000099 fffffa800ca8e2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800dc492c0 Device \Driver\atapi \Device\Dev_fffffa800d615680 fffffa800ca40880 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800db262c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{EC3A7B46-561A-4C33-AEE2-7B216106D63A} fffffa800db262c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800d0db2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800dc492c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800d0db2c0 Device \Driver\atapi \Device\Dev_fffffa800d622680 fffffa800ca40880 Device \Driver\atapi \Device\ScsiPort2 fffffa800d0db2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa800d0db2c0 Device \Driver\atapi \Device\ScsiPort4 fffffa800d0db2c0 Device \Driver\atapi \Device\ScsiPort5 fffffa800d0db2c0 Device \Driver\atapi \Device\ScsiPort6 fffffa800d0db2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800d0db2c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa800d0db2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800d885790] fffffa800d885790 Trace 3 CLASSPNP.SYS[fffff88001b8343f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800d6001f0] fffffa800d6001f0 Trace \Driver\atapi[0xfffffa800d5a1820] -> IRP_MJ_CREATE -> 0xfffffa800d0db2c0 fffffa800d0db2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x09 0xEE 0x5E 0x1F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x09 0xEE 0x5E 0x1F ... ---- EOF - GMER 2.1 ----