GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-27 17:53:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD5000AZRX-00L4HB0 rev.01.01A01 465,76GB Running: h2x2vket.exe; Driver: C:\Users\Seven\AppData\Local\Temp\uwddykog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800021a4000 64 bytes [00, 00, 0C, 02, 46, 4D, 73, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 593 fffff800021a4041 80 bytes {ADD [RDI], DH; JB 0xa; CMP DL, 0xff; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2700] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076882aa4 5 bytes JMP 0000000100b62ac0 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010c1e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010c1c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010c2614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010c2a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010c286c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\ataport.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa800394d840] [unknown section] IAT C:\Windows\system32\drivers\USBPORT.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa800523f840] [unknown section] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoAcquireRemoveLockEx] [fe8b41057320ff83] [unknown section] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoWMIRegistrationControl] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!ExFreePoolWithTag] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoWMIWriteEvent] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoRegisterDeviceInterface] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoSetDeviceInterfaceState] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoStartPacket] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoStartTimer] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!RtlInitUnicodeString] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoDeleteDevice] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!KeSetEvent] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoFreeWorkItem] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!MmGetSystemRoutineAddress] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!KeInitializeEvent] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!RtlQueryRegistryValues] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!RtlInitAnsiString] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!RtlGetVersion] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoDetachDevice] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!PoRequestPowerIrp] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoCancelIrp] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoStopTimer] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoStartNextPacket] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoAllocateWorkItem] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!_vsnwprintf] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!PoStartNextPowerIrp] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!_vsnprintf] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!ZwClose] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IofCompleteRequest] [fffff0b90c428b30] [unknown section] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoInitializeTimer] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoFreeIrp] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoSetCompletionRoutineEx] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!PoCallDriver] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoAllocateIrp] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!RtlCompareMemory] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!ObfReferenceObject] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoSetStartIoAttributes] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoInitializeRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] [fe3bd80344c20301] [unknown section] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoCreateDevice] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IofCallDriver] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!KeAcquireInStackQueuedSpinLockAtDpcLevel] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!KeReleaseInStackQueuedSpinLock] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoBuildPartialMdl] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoReleaseRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!KeAcquireInStackQueuedSpinLock] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoFreeMdl] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!KeDelayExecutionThread] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoGetSfioStreamIdentifier] [ff41f3f741c6ff49] [unknown section] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!KeRemoveEntryDeviceQueue] [ff46084103e0c0c2] [unknown section] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoQueueWorkItem] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoReleaseCancelSpinLock] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoAcquireCancelSpinLock] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoAllocateMdl] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!ZwEnumerateValueKey] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoGetDeviceInterfaces] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!ZwOpenKey] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!KeBugCheckEx] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!KeWaitForSingleObject] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!NlsMbCodePageTag] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoIs32bitProcess] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!MmProbeAndLockPages] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!MmUnlockPages] [f5860f2b3900856c] [unknown section] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoAllocateSfioStreamIdentifier] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoFreeSfioStreamIdentifier] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!IoGetIoPriorityHint] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!EtwUnregister] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!EtwRegister] [fff000188c8d4803] [unknown section] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!EtwEventEnabled] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!EtwWrite] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!EtwProviderEnabled] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[ntoskrnl.exe!__C_specific_handler] [?] IAT C:\Windows\System32\Drivers\aqd23q1s.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] [?] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80042e22c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80042e22c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80042e22c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80042e22c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80042e22c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80042e22c0 Device \Driver\aqd23q1s \Device\Scsi\aqd23q1s1Port4Path0Target0Lun0 fffffa800544f2c0 Device \Driver\aqd23q1s \Device\Scsi\aqd23q1s1 fffffa800544f2c0 Device \FileSystem\Ntfs \Ntfs fffffa80042e62c0 Device \Driver\USBSTOR \Device\0000008e fffffa8005b1e2c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa80052552c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa80052412c0 Device \Driver\usbohci \Device\USBPDO-5 fffffa80052412c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80052552c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{5B81C28B-A8E0-40F6-ADD4-E8485403AC3A} fffffa800500c2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004ecc2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{68C4F057-BEC9-44A7-8D35-88D3BEE69440} fffffa800500c2c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004ecc2c0 Device \Driver\USBSTOR \Device\00000090 fffffa8005b1e2c0 Device \Driver\cdrom \Device\CdRom2 fffffa8004ecc2c0 Device \Driver\USBSTOR \Device\0000008f fffffa8005b1e2c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa80052552c0 Device \Driver\usbehci \Device\USBPDO-6 fffffa80052552c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa80052412c0 Device \Driver\USBSTOR \Device\00000091 fffffa8005b1e2c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa80052412c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa80052412c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80052552c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800500c2c0 Device \Driver\usbohci \Device\USBFDO-6 fffffa80052412c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80042e22c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa80052552c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80052412c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80042e22c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80052412c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80042e22c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80042e22c0 Device \Driver\aqd23q1s \Device\ScsiPort4 fffffa800544f2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80042e22c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80042e22c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a5b060] fffffa8004a5b060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa80047d0580] fffffa80047d0580 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa80047d2060] fffffa80047d2060 Trace \Driver\atapi[0xfffffa80047b64c0] -> IRP_MJ_CREATE -> 0xfffffa80042e22c0 fffffa80042e22c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\aqd23q1s.SYS (USB Mass Storage Class Driver/Microsoft Corporation SIGNED)(2014-11-04 11:31:01) fffff88006400000-fffff88006451000 (331776 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x24 0xBE 0x0C 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x69 0x8A 0x5B 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x3E 0xF4 0x5F 0xAC ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x24 0xBE 0x0C 0x15 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x69 0x8A 0x5B 0xAE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x3E 0xF4 0x5F 0xAC ... ---- EOF - GMER 2.1 ----