GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-25 19:40:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1CH162 rev.CC47 931,51GB Running: 82dpqf1l.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uwrdakob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff880055b7d24 12 bytes {MOV RAX, 0xfffffa800517d2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2116] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000764d1bb2 5 bytes JMP 000000010111f046 .text C:\Windows\SysWOW64\PnkBstrA.exe[2420] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000075041a22 2 bytes [04, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2420] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000075041ad0 2 bytes [04, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2420] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000075041b08 2 bytes [04, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2420] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000075041bba 2 bytes [04, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2420] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000075041bda 2 bytes [04, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774a1465 2 bytes [4A, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[2420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774a14bb 2 bytes [4A, 77] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff88001063650] \SystemRoot\System32\Drivers\spov.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010635dc] \SystemRoot\System32\Drivers\spov.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800102e35c] \SystemRoot\System32\Drivers\spov.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800102e224] \SystemRoot\System32\Drivers\spov.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800102ea24] \SystemRoot\System32\Drivers\spov.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800102eba0] \SystemRoot\System32\Drivers\spov.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800439c2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800439c2c0 Device \FileSystem\Ntfs \Ntfs fffffa80043a22c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80052712c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80052712c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{0206721A-9A84-4DF9-A5B4-EBD6A1BEA789} fffffa8004c7b2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80052712c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80043982c0 Device \Driver\volmgr \Device\FtControl fffffa80043982c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80043982c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80043982c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80043982c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004c7b2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800439c2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80052712c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800439c2c0]<< spov.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa800439c2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004854060] fffffa8004854060 Trace 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004468680] fffffa8004468680 Trace \Driver\atapi[0xfffffa8004465890] -> IRP_MJ_CREATE -> 0xfffffa800439c2c0 fffffa800439c2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x56 0x13 0x4D 0x62 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x56 0x13 0x4D 0x62 ... ---- EOF - GMER 2.1 ----