GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-22 19:47:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB3O 298,09GB Running: fi2ikp04.exe; Driver: C:\Users\Wojtek\AppData\Local\Temp\kwrdqpob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80004bed000 45 bytes [00, 00, 10, 02, 4D, 6D, 43, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80004bed02f 16 bytes [00, 01, 00, 00, 00, 00, 00, ...] .text C:\windows\System32\win32k.sys!EngSetLastError + 608 fffff96000164d14 8 bytes [60, 56, 6F, 04, 80, F8, FF, ...] .text C:\windows\System32\win32k.sys!W32pServiceTable fffff96000194000 7 bytes [00, 93, F3, FF, 01, A0, F0] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000194008 3 bytes [C0, 06, 02] .text ... * 109 .text C:\windows\System32\win32k.sys!EngGetProcessHandle + 404 fffff96000252fa8 6 bytes {JMP QWORD [RIP-0xba6d6]} ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\wininit.exe[640] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\windows\system32\winlogon.exe[708] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\windows\system32\services.exe[756] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\windows\system32\nvvsvc.exe[948] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\windows\System32\svchost.exe[536] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\windows\system32\svchost.exe[592] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\windows\system32\svchost.exe[1164] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1464] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\windows\system32\nvvsvc.exe[1472] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1988] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2028] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\Program Files (x86)\Motorola Media Link\NServiceEntry.exe[1060] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2212] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\windows\SysWOW64\rundll32.exe[2284] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[2332] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[2332] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751b1465 2 bytes [1B, 75] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe[2332] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751b14bb 2 bytes [1B, 75] .text ... * 2 .text C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe[2404] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\windows\SysWOW64\Rezip.exe[2456] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2484] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\windows\system32\taskhost.exe[3420] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\windows\Explorer.EXE[3532] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[2884] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[2884] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000751b1465 2 bytes [1B, 75] .text C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe[2884] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751b14bb 2 bytes [1B, 75] .text ... * 2 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3900] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3812] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4056] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3364] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076e78791 5 bytes [33, C0, C2, 04, 00] .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3364] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3792] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[2388] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3932] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076e78791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3932] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3660] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4480] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1456] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] .text C:\windows\notepad.exe[1568] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007725ef8d 1 byte [62] .text C:\Users\Wojtek\Downloads\fi2ikp04.exe[4744] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e9a2fd 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010dbe94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010dbc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010dc614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010dca10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010dc86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8003e792c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{718C26B4-D14D-46E6-B93C-21145BDE3076} fffffa8004af52c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80069df2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80046d92c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80069df2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{CE3E7AB7-609F-4EAD-A7D3-F1052DD44F5B} fffffa8004af52c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80069df2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9AD0F776-D838-4365-AC0D-DBD65763A5B8} fffffa8004af52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B6AC41CC-732B-4B03-897C-92612C138041} fffffa8004af52c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004af52c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80069df2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654edff Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f652 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b66b6864 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b66b6982 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fe513b47 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fe513b47@789ed070b9bb 0x17 0x9D 0x18 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application@Sources MSDMine?DfSdk Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA4 0xEE 0xDD 0x92 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654edff (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f652 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b66b6864 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b66b6982 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fe513b47 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fe513b47@789ed070b9bb 0x17 0x9D 0x18 0x45 ... Reg HKLM\SYSTEM\ControlSet002\services\eventlog\Application@Sources MSDMine?DfSdk Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA4 0xEE 0xDD 0x92 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----