GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-14 23:50:26 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\00000066 WDC_____ rev.15.0 465,76GB Running: 0wo32j07.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pwriifow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3596] C:\Windows\syswow64\USER32.dll!LoadStringW 0000000076f67c12 5 bytes {CALL 0xffffffff89309590} .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3596] C:\Program Files (x86)\DAEMON Tools Pro\BRD.dll!BRDFixer 000000000027100c 3 bytes JMP 000000000028079b .text C:\Program Files (x86)\DAEMON Tools Pro\DTShellHlp.exe[3596] C:\Program Files (x86)\DAEMON Tools Pro\BRD.dll!BRDFixer + 5 0000000000271011 7 bytes [83, EC, FC, 0F, 86, BB, 61] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001087e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001087c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001088614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001088a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800108886c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\an5pwepd \Device\Scsi\an5pwepd1 fffffa800a3be2c0 Device \FileSystem\Ntfs \Ntfs fffffa8006ffd2c0 Device \Driver\iaStorA \Device\00000064 fffffa8006ff92c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800a2e42c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa8006ff92c0 Device \Driver\cdrom \Device\CdRom0 fffffa8009c5b2c0 Device \Driver\iaStorA \Device\00000065 fffffa8006ff92c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800a2e42c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa800a4f62c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{C7AC3D57-3445-484C-8673-C3772193A887} fffffa8009d092c0 Device \Driver\iaStorA \Device\00000066 fffffa8006ff92c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800a2e42c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8009d092c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa8006ff92c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800a2e42c0 Device \Driver\an5pwepd \Device\ScsiPort1 fffffa800a3be2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys >>UNKNOWN [0xfffffa8006ff92c0]<< sptd.sys storport.sys hal.dll iaStorA.sys fffffa8006ff92c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8009a7a060] fffffa8009a7a060 Trace 3 CLASSPNP.SYS[fffff88001c5a43f] -> nt!IofCallDriver -> [0xfffffa800767ac50] fffffa800767ac50 Trace 5 iaStorF.sys[fffff88001df2a84] -> nt!IofCallDriver -> \Device\00000066[0xfffffa80072609c0] fffffa80072609c0 Trace \Driver\iaStorA[0xfffffa80071f3510] -> IRP_MJ_CREATE -> 0xfffffa8006ff92c0 fffffa8006ff92c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\an5pwepd.SYS fffff88004f89000-fffff88004fda000 (331776 bytes) ---- Processes - GMER 2.1 ---- Process C:\Users\Mateusz\AppData\Local\SearchIndexer.exe (*** suspicious ***) @ C:\Users\Mateusz\AppData\Local\SearchIndexer.exe [2508] (Obraz JPEG)(2015-02-13 20:36:06) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x1E 0x47 0x34 0xEE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0xF1 0xF8 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x47 0xDC 0x32 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x92 0xE0 0x60 0xB9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x1E 0x47 0x34 0xEE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0xF1 0xF8 0x2F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x47 0xDC 0x32 0xCF ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x92 0xE0 0x60 0xB9 ... ---- Files - GMER 2.1 ---- File C:\Users\Mateusz\AppData\Local\Mozilla\Firefox\Profiles\g78vpf5e.default\cache2\entries\E67A9CF2A0B3AF05E8B6732B7746CDD82990AF33 520 bytes File C:\Users\Mateusz\AppData\Local\Mozilla\Firefox\Profiles\g78vpf5e.default\cache2\entries\2824D2453E9676E26A37E24B5F3B8988D15BCC27 6551 bytes File C:\Users\Mateusz\AppData\Local\Mozilla\Firefox\Profiles\g78vpf5e.default\cache2\entries\D4B4576F9AEA28230466C8809D177487D8F8E421 1806 bytes File C:\Users\Mateusz\AppData\Local\Mozilla\Firefox\Profiles\g78vpf5e.default\cache2\entries\6173182E09A4A8AB2E7F05E88727022A32E223AD 0 bytes File C:\Users\Mateusz\AppData\Local\Mozilla\Firefox\Profiles\g78vpf5e.default\cache2\entries\EDA7DEF1B63890850274AF17ABAFCC8F191FD748 900 bytes File C:\Users\Mateusz\AppData\Local\Mozilla\Firefox\Profiles\g78vpf5e.default\cache2\entries\1330C364B6AA16AECDC2BA489E90C8B309955F6F 5797 bytes File C:\Users\Mateusz\AppData\Local\Mozilla\Firefox\Profiles\g78vpf5e.default\cache2\entries\D26F41DE867CDF310D9C7454A1299E69050F72FB 3733 bytes File C:\Users\Mateusz\AppData\Local\SS_2015-02-14 23;32;06 255910 bytes File C:\Users\Mateusz\AppData\Local\SS_2015-02-14 23;33;06 119640 bytes File C:\Users\Mateusz\AppData\Local\SS_2015-02-14 23;34;06 254467 bytes ---- EOF - GMER 2.1 ----