GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-05 20:39:16 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD321KJ rev.CP100-11 298,09GB Running: q9rjsex5.exe; Driver: C:\Users\UKASZ~1\AppData\Local\Temp\pxddqpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff960000f8700 15 bytes [40, B5, F7, 01, 80, 39, 70, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff960000f8710 11 bytes [00, 15, FC, FF, 00, 27, C3, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\WindowsMobile\wmdc.exe[1168] C:\WINDOWS\system32\WSOCK32.dll!setsockopt + 194 00007ff952511f6a 4 bytes [51, 52, F9, 7F] .text C:\Windows\WindowsMobile\wmdc.exe[1168] C:\WINDOWS\system32\WSOCK32.dll!setsockopt + 218 00007ff952511f82 4 bytes [51, 52, F9, 7F] .text C:\WINDOWS\system32\svchost.exe[1800] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff952511f6a 4 bytes [51, 52, F9, 7F] .text C:\WINDOWS\system32\svchost.exe[1800] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff952511f82 4 bytes [51, 52, F9, 7F] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\System32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff800f648ce94] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\WINDOWS\System32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff800f648cc38] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\WINDOWS\System32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff800f648d614] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\WINDOWS\System32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff800f648da10] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\WINDOWS\System32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff800f648d86c] \SystemRoot\System32\Drivers\sptd.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 ffffe001d49a12c0 Device \Driver\atapi \Device\Ide\IdePort0 ffffe001d49a12c0 Device \Driver\atapi \Device\Ide\IdePort1 ffffe001d49a12c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-6 ffffe001d49a12c0 Device \Driver\atapi \Device\Ide\IdePort2 ffffe001d49a12c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 ffffe001d49a12c0 Device \Driver\atapi \Device\Ide\IdePort3 ffffe001d49a12c0 Device \Driver\cdrom \Device\CdRom0 ffffe001d62002c0 Device \Driver\USBSTOR \Device\00000045 ffffe001d6f2f2c0 Device \Driver\USBSTOR \Device\00000046 ffffe001d6f2f2c0 Device \Driver\atapi \Device\ScsiPort0 ffffe001d49a12c0 Device \Driver\atapi \Device\ScsiPort1 ffffe001d49a12c0 Device \Driver\atapi \Device\ScsiPort2 ffffe001d49a12c0 Device \Driver\atapi \Device\ScsiPort3 ffffe001d49a12c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xffffe001d49a12c0]<< sptd.sys ataport.SYS pciide.sys hal.dll ffffe001d49a12c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe001d5d11060] ffffe001d5d11060 Trace 3 CLASSPNP.SYS[fffff800f680227b] -> nt!IofCallDriver -> [0xffffe001d53a4e00] ffffe001d53a4e00 Trace 5 ACPI.sys[fffff800f61327aa] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xffffe001d539a060] ffffe001d539a060 Trace \Driver\atapi[0xffffe001d53a1430] -> IRP_MJ_CREATE -> 0xffffe001d49a12c0 ffffe001d49a12c0 ---- Threads - GMER 2.1 ---- Thread System [4:996] ffffe001d78a5c30 Thread C:\WINDOWS\system32\csrss.exe [656:740] fffff96000834b90 ---- Processes - GMER 2.1 ---- Library C:\Users\Łukasz\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\Łukasz\AppData\Roaming\Dropbox\bin\Dropbox.exe [4312](2014-08-15 18:46:08) 0000000003ef0000 Library c:\users\ukasz~1\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp6lcfo9.dll (*** suspicious ***) @ C:\Users\Łukasz\AppData\Roaming\Dropbox\bin\Dropbox.exe [4312](2014-09-05 16:26:02) 0000000004330000 Library C:\Users\Łukasz\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\Łukasz\AppData\Roaming\Dropbox\bin\Dropbox.exe [4312](2013-08-23 19:01:44) 0000000068ea0000 Library C:\Users\Łukasz\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Łukasz\AppData\Roaming\Dropbox\bin\Dropbox.exe [4312] (ICU Data DLL/The ICU Project)(2013-08-23 19:01:42) 00000000684a0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -2089157161 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?wrz ?05 ?14, 06:50:51??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x02 0x9D 0x9E 0x3B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{48BFB3CA-4138-4635-8A02-1BAB28068DC7}@LeaseObtainedTime 1409937919 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{48BFB3CA-4138-4635-8A02-1BAB28068DC7}@T1 1409939719 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{48BFB3CA-4138-4635-8A02-1BAB28068DC7}@T2 1409941069 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{48BFB3CA-4138-4635-8A02-1BAB28068DC7}@LeaseTerminatesTime 1409941519 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@Hidden 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@HideFileExt 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@ShowSuperHidden 1 ---- EOF - GMER 2.1 ----