GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-02 11:56:10 Windows 6.0.6002 Service Pack 3 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FB4O 298,09GB Running: gmer.exe; Driver: C:\Users\Owner\AppData\Local\Temp\uwdoapog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload + 1 fffffa6002dbdf61 11 bytes {MOV RAX, 0xfffffa8006ca12a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[2392] C:\Windows\SysWOW64\WSOCK32.dll!recv + 81 00000000736218a9 2 bytes CALL 7668142d C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2392] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 87 000000007362190e 2 bytes CALL 7668142d C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000736219f0 2 bytes JMP 76198400 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000736219fb 2 bytes JMP 761a8b38 C:\Windows\syswow64\WS2_32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3496] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 130 0000000076704228 1 byte [62] .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774217d7 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077423221 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077439578 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077439608 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077439758 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077439ab8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007743b24c 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 130 0000000076704228 1 byte [62] .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f8010d 5 bytes JMP 00000001001b0a08 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f803d2 5 bytes JMP 00000001001b0804 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f81b58 5 bytes JMP 00000001001b0600 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f86530 5 bytes JMP 00000001001b03fc .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f9653e 5 bytes JMP 00000001001b01f8 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076079eb4 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 000000007607a07e 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\ADVAPI32.dll!SetServiceObjectSecurity 00000000760b6cd9 5 bytes JMP 00000001001c1014 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000760b6dd9 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000760b6f81 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 00000000760b7099 5 bytes JMP 00000001001c0c0c .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 00000000760b71e1 5 bytes JMP 00000001001c0e10 .text C:\Program Files (x86)\Bit Lord 1.1\BitLord.exe[2328] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000760b72a1 5 bytes JMP 00000001001c01f8 .text C:\Windows\Explorer.EXE[5548] C:\Windows\system32\ntdll.dll!LdrUnloadDll 0000000077246d20 5 bytes JMP 000000010018075c .text C:\Windows\Explorer.EXE[5548] C:\Windows\system32\ntdll.dll!LdrLoadDll 0000000077263bd0 5 bytes JMP 00000001001803a4 .text C:\Windows\Explorer.EXE[5548] C:\Windows\system32\ntdll.dll!NtAllocateVirtualMemory 0000000077276ff0 5 bytes JMP 0000000100180b14 .text C:\Windows\Explorer.EXE[5548] C:\Windows\system32\ntdll.dll!NtFreeVirtualMemory 0000000077277050 5 bytes JMP 0000000100180ecc .text C:\Windows\Explorer.EXE[5548] C:\Windows\system32\ntdll.dll!NtTerminateProcess 0000000077277130 5 bytes JMP 000000010018163c .text C:\Windows\Explorer.EXE[5548] C:\Windows\system32\ntdll.dll!NtProtectVirtualMemory 0000000077277370 5 bytes JMP 0000000100181284 .text C:\Windows\Explorer.EXE[5548] C:\Windows\system32\ntdll.dll!NtSetContextThread 0000000077278330 5 bytes JMP 00000001001819f4 .text C:\Windows\Explorer.EXE[5548] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 194 0000000077012c52 1 byte [62] .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000774217d7 5 bytes JMP 00000001000301f8 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077423221 5 bytes JMP 00000001000303fc .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077439578 5 bytes JMP 0000000100030600 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077439608 5 bytes JMP 0000000100030804 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077439758 5 bytes JMP 0000000100030c0c .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077439ab8 5 bytes JMP 0000000100030a08 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 000000007743b24c 5 bytes JMP 0000000100030e10 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 130 0000000076704228 1 byte [62] .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW 0000000076079eb4 5 bytes JMP 00000001001b03fc .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\ADVAPI32.dll!DeleteService 000000007607a07e 5 bytes JMP 00000001001b0600 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\ADVAPI32.dll!SetServiceObjectSecurity 00000000760b6cd9 5 bytes JMP 00000001001b1014 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA 00000000760b6dd9 5 bytes JMP 00000001001b0804 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW 00000000760b6f81 5 bytes JMP 00000001001b0a08 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2A 00000000760b7099 5 bytes JMP 00000001001b0c0c .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfig2W 00000000760b71e1 5 bytes JMP 00000001001b0e10 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA 00000000760b72a1 5 bytes JMP 00000001001b01f8 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f8010d 5 bytes JMP 00000001001c0a08 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f803d2 5 bytes JMP 00000001001c0804 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f81b58 5 bytes JMP 00000001001c0600 .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f86530 5 bytes JMP 00000001001c03fc .text C:\Users\Owner\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[5904] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f9653e 5 bytes JMP 00000001001c01f8 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa8004a50440] [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffffa6000a725b0] \SystemRoot\System32\Drivers\sppf.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffffa6000a7253c] \SystemRoot\System32\Drivers\sppf.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [fffffa6000a372c0] \SystemRoot\System32\Drivers\sppf.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffffa6000a3735c] \SystemRoot\System32\Drivers\sppf.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffffa6000a37224] \SystemRoot\System32\Drivers\sppf.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffffa6000a37a24] \SystemRoot\System32\Drivers\sppf.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffffa6000a37ba0] \SystemRoot\System32\Drivers\sppf.sys [unknown section] IAT C:\Windows\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa80040e6440] [unknown section] IAT C:\Windows\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] [fffffa8006ca1440] [unknown section] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8004aa52c0 Device \Driver\USBSTOR \Device\0000007e fffffa800a00a2c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa8006cfb2c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa8006ce82c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa8006ce82c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8006ce82c0 Device \Driver\iScsiPrt \Device\RaidPort0 fffffa8006e992c0 Device \Driver\cdrom \Device\CdRom0 fffffa8006ea02c0 Device \Driver\netbt \Device\NetBT_Tcpip_{3E74D0C1-B618-4707-9B01-07E4F825E2D7} fffffa8007d152c0 Device \Driver\netbt \Device\NetBT_Tcpip_{69A87FC5-EF3B-4A6A-AC89-71C1FD3DF1DD} fffffa8007d152c0 Device \Driver\cdrom \Device\CdRom1 fffffa8006ea02c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa8006ce82c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa8006ce82c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8006ce82c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa8006cfb2c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa8006cfb2c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa8006ce82c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa8006ce82c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8006ce82c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa8004a9d2c0 Device \Driver\volmgr \Device\FtControl fffffa8004a9d2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa8004a9d2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa8004a9d2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa8004a9d2c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa8004a9d2c0 Device \Driver\USBSTOR \Device\0000007d fffffa800a00a2c0 Device \Driver\netbt \Device\NetBt_Wins_Export fffffa8007d152c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa8006ce82c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa8006ce82c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8006cfb2c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8006ce82c0 Device \Driver\iScsiPrt \Device\ScsiPort2 fffffa8006e992c0 Device \Driver\Smb \Device\NetbiosSmb fffffa8007c352c0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:5708] 0000000073df7456 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:5208] 0000000076ae2670 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:5968] 0000000076ae2670 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:4912] 0000000076ae2670 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:4592] 000000006a694235 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:1148] 000000007681ccae Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:4728] 000000006f072671 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:3320] 000000006a5ef9bb Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:1320] 000000006a9cf906 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:5956] 0000000072654b4f Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:3808] 0000000072654511 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:2092] 0000000072654511 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:3128] 0000000074c63289 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:5288] 000000006a7400a3 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:3640] 000000006f4d7e7e Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:5820] 0000000076ae2670 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:5128] 00000000764d57e9 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:1572] 0000000076ae2670 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:5840] 000000006a4c6836 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:3416] 000000006a4c6836 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:5720] 000000006a4c6836 Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:5764] 00000000721f7a8c Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [2076:1192] 0000000075ab3402 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB3 0x1C 0xC8 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x27 0x47 0x43 0x47 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB3 0x1C 0xC8 0xEA ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x27 0x47 0x43 0x47 ... ---- EOF - GMER 2.1 ----