GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-24 10:53:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500AAJS-00VTA0 rev.01.01B01 232,88GB Running: b98xx67y.exe; Driver: C:\Users\victor\AppData\Local\Temp\awrdrpob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880053b3d64 12 bytes {MOV RAX, 0xfffffa8002cc92a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG10\avgfws.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768a1465 2 bytes [8A, 76] .text C:\Program Files (x86)\AVG\AVG10\avgfws.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768a14bb 2 bytes [8A, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768a1465 2 bytes [8A, 76] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768a14bb 2 bytes [8A, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000747c1a22 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000747c1ad0 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000747c1b08 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000747c1bba 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2392] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000747c1bda 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrB.exe[2424] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000747c1a22 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrB.exe[2424] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000747c1ad0 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrB.exe[2424] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000747c1b08 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrB.exe[2424] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000747c1bba 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrB.exe[2424] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000747c1bda 2 bytes [7C, 74] ? C:\Windows\system32\iertutil.dll [2876] entry point in ".rdata" section 0000000076f95251 .text C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768a1465 2 bytes [8A, 76] .text C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[3852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768a14bb 2 bytes [8A, 76] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000768a1465 2 bytes [8A, 76] .text C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768a14bb 2 bytes [8A, 76] .text ... * 2 .text C:\Users\victor\Downloads\OTL.com[5436] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000768a1465 2 bytes [8A, 76] .text C:\Users\victor\Downloads\OTL.com[5436] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000768a14bb 2 bytes [8A, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800125cf1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800125ccc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800125d69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800125da98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800125d8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80018802c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80018802c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80018802c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 fffffa80018802c0 Device \FileSystem\Ntfs \Ntfs fffffa80018842c0 Device \FileSystem\fastfat \Fat fffffa80047c22c0 Device \Driver\USBSTOR \Device\0000007e fffffa8003ef42c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa8002cfb2c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8002cfb2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8002af22c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{E4CCAE9C-4ECD-42A4-AD0C-FC1D46EFBD0F} fffffa8002b962c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa8002d592c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8002cfb2c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa8002cfb2c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa8002cfb2c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8002cfb2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8002b962c0 Device \Driver\USBSTOR \Device\0000007d fffffa8003ef42c0 Device \Driver\usbehci \Device\USBPDO-4 fffffa8002d592c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa8002cfb2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80018802c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8002cfb2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80018802c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80018802c0]<< sptd.sys ataport.SYS intelide.sys fffffa80018802c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800290b060] fffffa800290b060 Trace 3 CLASSPNP.SYS[fffff88000dc943f] -> nt!IofCallDriver -> [0xfffffa800269d520] fffffa800269d520 Trace 5 ACPI.sys[fffff880013ac7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80026a3060] fffffa80026a3060 Trace \Driver\atapi[0xfffffa800266fe70] -> IRP_MJ_CREATE -> 0xfffffa80018802c0 fffffa80018802c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [504:1236] 000007fefb02331c Thread C:\Windows\System32\svchost.exe [504:3736] 000007fef66a44e0 Thread C:\Windows\System32\svchost.exe [504:3712] 000007fef87488f8 Thread C:\Windows\System32\svchost.exe [504:4764] 000007fef49220c0 Thread C:\Windows\System32\svchost.exe [504:4856] 000007fef49226a8 Thread C:\Windows\System32\svchost.exe [504:4928] 000007fef1d914a0 Thread C:\Windows\System32\svchost.exe [504:4960] 000007fef49229dc Thread C:\Windows\System32\svchost.exe [504:4964] 000007fef49229dc Thread C:\Windows\System32\svchost.exe [504:4996] 000007fef179a2b0 Thread C:\Windows\system32\svchost.exe [1120:1640] 000007fefb368274 Thread C:\Windows\system32\svchost.exe [1120:1140] 000007fefb368274 Thread C:\Windows\system32\svchost.exe [1420:1444] 000007fefcd01a70 Thread C:\Windows\system32\svchost.exe [1420:1448] 000007fefcd01a70 Thread C:\Windows\system32\svchost.exe [1420:1460] 000007fefcd01a70 Thread C:\Windows\system32\svchost.exe [1420:1472] 000007fefaa52c70 Thread C:\Windows\system32\svchost.exe [1420:1484] 000007fefaa5fb40 Thread C:\Windows\system32\svchost.exe [1420:1500] 000007fefaa71d20 Thread C:\Windows\system32\svchost.exe [1420:1504] 000007fefaa5f6f0 Thread C:\Windows\system32\svchost.exe [1420:1868] 000007fefa2635c0 Thread C:\Windows\system32\svchost.exe [1420:4544] 000007fefa265600 Thread C:\Windows\system32\svchost.exe [1420:4300] 000007fef1822888 Thread C:\Windows\system32\svchost.exe [1420:4312] 000007fef1812940 Thread C:\Windows\system32\svchost.exe [1420:1596] 000007fef1822a40 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x87 0x00 0xEA 0xBB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x87 0x00 0xEA 0xBB ... ---- EOF - GMER 2.1 ----