GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-04 16:55:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6 SAMSUNG_HD502HI rev.1AG01118 465,76GB Running: g03uxb6c.exe; Driver: C:\Users\Woytas\AppData\Local\Temp\afrdqpob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88007f78d8c 12 bytes {MOV RAX, 0xfffffa8004efa2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[1572] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077120038 5 bytes JMP 00000001698f1986 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3220] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 000000007711000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3220] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007719f8ea 5 bytes JMP 000000017714d5c1 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000772d1465 2 bytes [2D, 77] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772d14bb 2 bytes [2D, 77] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800107ff1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800107fcc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800108069c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001080a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010808f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort4 fffffa80039b02c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80039b02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-a fffffa80039b02c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80039b02c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80039b02c0 Device \Driver\atapi \Device\Ide\IdePort6 fffffa80039b02c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80039b02c0 Device \Driver\atapi \Device\Ide\IdePort7 fffffa80039b02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-6 fffffa80039b02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP6T0L0-10 fffffa80039b02c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80039b02c0 Device \Driver\a9sp8vpn \Device\Scsi\a9sp8vpn1 fffffa8004c6b2c0 Device \Driver\a9sp8vpn \Device\Scsi\a9sp8vpn1Port8Path0Target0Lun0 fffffa8004c6b2c0 Device \FileSystem\Ntfs \Ntfs fffffa8003a912c0 Device \Driver\atapi \Device\ScsiPort7 fffffa80039b02c0 Device \Driver\a9sp8vpn \Device\ScsiPort8 fffffa8004c6b2c0 Device \Driver\WudfPf \Device\WUDFLpcDevice fffff8800a9dd910 Device \Driver\usbehci \Device\USBPDO-5 fffffa8004f1d2c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa8004ef82c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa8004ef82c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004d702c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004d702c0 Device \Driver\cdrom \Device\CdRom2 fffffa8004d702c0 Device \Driver\cdrom \Device\CdRom3 fffffa8004d702c0 Device \Driver\usbohci \Device\USBPDO-6 fffffa8004ef82c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa8004ef82c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa8004f1d2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004ef82c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8004ce92c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa8004f1d2c0 Device \Driver\dtsoftbus01 \Device\00000062 fffffa8004ce92c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa8004ef82c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa8004ef82c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004d6e2c0 Device \Driver\usbohci \Device\USBFDO-6 fffffa8004ef82c0 Device \Driver\WudfPf \Device\ProcessManagement fffff8800a9dd910 Device \Driver\usbohci \Device\USBPDO-4 fffffa8004ef82c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80039b02c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8004f1d2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004ef82c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80039b02c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80039b02c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2537AAF7-E46A-486D-BA13-1850DD7D1CE3} fffffa8004d6e2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80039b02c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80039b02c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80039b02c0 Device \Driver\atapi \Device\ScsiPort6 fffffa80039b02c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80039b02c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80039b02c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800461e060] fffffa800461e060 Trace 3 CLASSPNP.SYS[fffff88001a5843f] -> nt!IofCallDriver -> [0xfffffa800447fe40] fffffa800447fe40 Trace 5 ACPI.sys[fffff88000eed7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-6[0xfffffa80044ae680] fffffa80044ae680 Trace \Driver\atapi[0xfffffa8004474650] -> IRP_MJ_CREATE -> 0xfffffa80039b02c0 fffffa80039b02c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\a9sp8vpn.SYS fffff88001abd000-fffff88001b0e000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3432:4080] 000007fefb6f2a7c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x67 0xE3 0x22 0xF0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB9 0x88 0x3C 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA9 0x89 0xBD 0xEB ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x25 0x75 0x32 0x62 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x25 0x7C 0xCF 0x36 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x67 0xE3 0x22 0xF0 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB9 0x88 0x3C 0x5F ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA9 0x89 0xBD 0xEB ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x25 0x75 0x32 0x62 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x25 0x7C 0xCF 0x36 ... ---- EOF - GMER 2.1 ----