GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-23 19:52:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS542525K9SA00 rev.BBFOC3BP 232,89GB Running: bszni7oc.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uwddakob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80002fa6000 63 bytes [45, 33, C0, E9, 5F, FD, 07, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 624 fffff80002fa6040 14 bytes [48, C1, E2, 20, 48, 0B, C2, ...] .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004a9fd64 12 bytes {MOV RAX, 0xfffffa8004f9b2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076041465 2 bytes [04, 76] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760414bb 2 bytes [04, 76] .text ... * 2 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076041465 2 bytes [04, 76] .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000760414bb 2 bytes [04, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001059f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001059cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800105a69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800105aa98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800105a8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8003ca82c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003ca82c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003ca82c0 Device \FileSystem\Ntfs \Ntfs fffffa80045d22c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa8004ff02c0 Device \Driver\USBSTOR \Device\00000078 fffffa8005d892c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa8004f6a2c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa8004f6a2c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8004f6a2c0 Device \Driver\cdrom \Device\CdRom1 fffffa8005ce82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{862BA295-7592-4EC7-B310-DB3F837D264F} fffffa8004e092c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa8004f6a2c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa8004f6a2c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa8004ff02c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8004f6a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{53F637EC-A25E-4AAF-A5F6-B2BF4B26F482} fffffa8004e092c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa8004ff02c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa8004f6a2c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa8004f6a2c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8004f6a2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004e092c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa8004f6a2c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa8004f6a2c0 Device \Driver\USBSTOR \Device\00000077 fffffa8005d892c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003ca82c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8004ff02c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8004f6a2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003ca82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{C5FEA82D-9791-4FE9-9AD4-0F974E7BC1D9} fffffa8004e092c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8003ca82c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa8003ca82c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c1d790] fffffa8004c1d790 Trace 3 CLASSPNP.SYS[fffff88001a8443f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80046c4680] fffffa80046c4680 Trace \Driver\atapi[0xfffffa80046ba230] -> IRP_MJ_CREATE -> 0xfffffa8003ca82c0 fffffa8003ca82c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e3deb49d3 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x79 0xA6 0xEA 0x8B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e3deb49d3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x75 0x47 0x2F 0x20 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x1D 0xB4 0xDA 0x36 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x38 0xDD 0x16 0x0E ... ---- EOF - GMER 2.1 ----