GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-19 15:10:19 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-00KUWA0 rev.15.01H15 931,51GB Running: 5ir1l43p.exe; Driver: C:\Users\Lukasz\AppData\Local\Temp\ugrdapoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000722a17fa 2 bytes CALL 75731199 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000722a1860 2 bytes CALL 75731199 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000722a1942 2 bytes JMP 7728c29f C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000722a194d 2 bytes JMP 7728418d C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076fb1401 2 bytes JMP 7574eb26 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076fb1419 2 bytes JMP 7575b513 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076fb1431 2 bytes JMP 757d8609 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076fb144a 2 bytes CALL 75731dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076fb14dd 2 bytes JMP 757d7efe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076fb14f5 2 bytes JMP 757d80d8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076fb150d 2 bytes JMP 757d7df4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076fb1525 2 bytes JMP 757d81c2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076fb153d 2 bytes JMP 7574f088 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076fb1555 2 bytes JMP 7575b885 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076fb156d 2 bytes JMP 757d86c1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076fb1585 2 bytes JMP 757d8222 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076fb159d 2 bytes JMP 757d7db8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076fb15b5 2 bytes JMP 7574f121 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076fb15cd 2 bytes JMP 7575b29f C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076fb16b2 2 bytes JMP 757d8584 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1880] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076fb16bd 2 bytes JMP 757d7d4d C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010abe94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010abc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010ac614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010aca10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010ac86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800667b2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800667b2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800667b2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa800667b2c0 Device \FileSystem\Ntfs \Ntfs fffffa8006fdf2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007b4e2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80078382c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8007b4e2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007b4e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{56B7A341-0744-480A-8E2A-4EE4E7754058} fffffa80078312c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80078312c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800667b2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8007b4e2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800667b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{23FD9CDB-108F-4EDD-972A-192072078012} fffffa80078312c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800667b2c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa800667b2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80077a0060] fffffa80077a0060 Trace 3 CLASSPNP.SYS[fffff8800140143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80074de060] fffffa80074de060 Trace \Driver\atapi[0xfffffa800719be70] -> IRP_MJ_CREATE -> 0xfffffa800667b2c0 fffffa800667b2c0 ---- Processes - GMER 2.1 ---- Library C:\Users\Lukasz\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\Ontology.dll (*** suspicious ***) @ C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2736] (Application Ontology library/NVIDIA Corporation)(2014-11-18 15:08:38) 0000000074420000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{040409E2-D84A-4F3D-A0D7-5B81CEE3820C}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3604] (Microsoft Malware Protection Engine/Microsoft Corporation)(2014-09-26 14:07:06) 000007fef00e0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE9 0x17 0xC9 0x01 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE9 0x17 0xC9 0x01 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x37 0xD1 0x98 0x22 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0xEC 0x10 0xA9 ... ---- EOF - GMER 2.1 ----