GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-27 12:14:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000064 KINGSTON rev.521A 111,79GB Running: gmer.exe; Driver: H:\Temp\uwldapoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002fa4000 45 bytes [00, 00, 15, 00, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 574 fffff80002fa402e 17 bytes [44, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\G Data\TotalProtection\Firewall\GDFirewallTray.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075fe1465 2 bytes [FE, 75] .text C:\Program Files (x86)\G Data\TotalProtection\Firewall\GDFirewallTray.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075fe14bb 2 bytes [FE, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE[836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075fe1465 2 bytes [FE, 75] .text C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE[836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075fe14bb 2 bytes [FE, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [836] entry point in ".rdata" section 000000006cc971e6 .text C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE[2400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075fe1465 2 bytes [FE, 75] .text C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE[2400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075fe14bb 2 bytes [FE, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [2400] entry point in ".rdata" section 000000006cc971e6 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075fe1465 2 bytes [FE, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075fe14bb 2 bytes [FE, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b2e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b2c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b3614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b3a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b386c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003ca82c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003ca82c0 Device \FileSystem\Ntfs \Ntfs fffffa8003dea2c0 Device \Driver\dtsoftbus01 \Device\00000068 fffffa80046d52c0 Device \Driver\USBSTOR \Device\0000008a fffffa80055e12c0 Device \Driver\nvstor \Device\00000064 fffffa8003caa2c0 Device \Driver\USBSTOR \Device\00000088 fffffa80055e12c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004b032c0 Device \Driver\nvstor \Device\RaidPort0 fffffa8003caa2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80046f32c0 Device \Driver\nvstor \Device\RaidPort1 fffffa8003caa2c0 Device \Driver\cdrom \Device\CdRom1 fffffa80046f32c0 Device \Driver\nvstor \Device\00000065 fffffa8003caa2c0 Device \Driver\USBSTOR \Device\00000089 fffffa80055e12c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004af62c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80046d52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{F6AEB4F3-FA37-4277-94B1-331C40732D5D} fffffa80046fa2c0 Device \Driver\nvstor \Device\00000066 fffffa8003caa2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004b032c0 Device \Driver\USBSTOR \Device\00000086 fffffa80055e12c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80046fa2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003ca82c0 Device \Driver\USBSTOR \Device\00000087 fffffa80055e12c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004af62c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003ca82c0 Device \Driver\nvstor \Device\ScsiPort2 fffffa8003caa2c0 Device \Driver\nvstor \Device\ScsiPort3 fffffa8003caa2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003caa2c0]<< sptd.sys storport.sys hal.dll nvstor.sys fffffa8003caa2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004143060] fffffa8004143060 Trace 3 CLASSPNP.SYS[fffff88001a6143f] -> nt!IofCallDriver -> [0xfffffa8003f0fd00] fffffa8003f0fd00 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\00000064[0xfffffa8003cf09c0] fffffa8003cf09c0 Trace \Driver\nvstor[0xfffffa8003c6ecd0] -> IRP_MJ_CREATE -> 0xfffffa8003caa2c0 fffffa8003caa2c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3412:5128] 000007fef6729688 ---- EOF - GMER 2.1 ----