GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-09 13:33:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500320AS rev.SD1A 465,76GB Running: kbqx37b7.exe; Driver: C:\Users\ZAMLOD~1\AppData\Local\Temp\awrdrpoc.sys ---- Kernel code sections - GMER 2.1 ---- PAGE C:\Windows\system32\drivers\PCIIDEX.SYS!DllUnload fffff88000e64a50 12 bytes {MOV RAX, 0xfffffa8002d902a0; JMP RAX} PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff88000ea24a0 12 bytes {MOV RAX, 0xfffffa800246e2a0; JMP RAX} .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88002b6bd64 12 bytes {MOV RAX, 0xfffffa800376c2a0; JMP RAX} .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000e4000 7 bytes [80, 93, F3, FF, 01, 9D, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e4008 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NETGEAR\WNA1100\WNA1100.exe[2264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075a91465 2 bytes [A9, 75] .text C:\Program Files (x86)\NETGEAR\WNA1100\WNA1100.exe[2264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075a914bb 2 bytes [A9, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800109af1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800109acc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800109b69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800109ba98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800109b8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8002d942c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8002d942c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8002d942c0 Device \Driver\a13dfwse \Device\Scsi\a13dfwse1 fffffa80039da2c0 Device \Driver\a13dfwse \Device\Scsi\a13dfwse1Port3Path0Target0Lun0 fffffa80039da2c0 Device \Driver\ay8a7o3m \Device\Scsi\ay8a7o3m1 fffffa80039982c0 Device \FileSystem\Ntfs \Ntfs fffffa8002d982c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa80036e22c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80036e22c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{8C83C292-A42D-4009-8BFD-01C1CB970D11} fffffa800353f2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80040442c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9C913524-36C5-464F-AC0D-78588C128AE0} fffffa800353f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{593D1EBA-B253-4767-A268-BDE769033C84} fffffa800353f2c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa80037e62c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80036e22c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa80036e22c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa80036e22c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80036e22c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800353f2c0 Device \Driver\usbehci \Device\USBPDO-4 fffffa80037e62c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8002d942c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa80036e22c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80036e22c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8002d942c0 Device \Driver\ay8a7o3m \Device\ScsiPort2 fffffa80039982c0 Device \Driver\a13dfwse \Device\ScsiPort3 fffffa80039da2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8002d942c0]<< sptd.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa8002d942c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003353060] fffffa8003353060 Trace 3 CLASSPNP.SYS[fffff8800140143f] -> nt!IofCallDriver -> [0xfffffa8003224520] fffffa8003224520 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800322a060] fffffa800322a060 Trace \Driver\atapi[0xfffffa8002e56060] -> IRP_MJ_CREATE -> 0xfffffa8002d942c0 fffffa8002d942c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\ay8a7o3m.SYS fffff88003b68000-fffff88003bb4000 (311296 bytes) Module \SystemRoot\System32\Drivers\a13dfwse.SYS fffff88002b99000-fffff88002bea000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2956:1224] 000007fef4ba9688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158307d3e4 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158307d3e4@444e1a17e28b 0xB0 0x81 0x0F 0xB4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158307d3e4@980d2e43f2c8 0x47 0xE3 0x01 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x47 0x84 0x66 0x95 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0E 0x6B 0x05 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x99 0x05 0x30 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x57 0xAC 0x03 0xE1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x01 0x5A 0x1D 0x6B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158307d3e4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158307d3e4@444e1a17e28b 0xB0 0x81 0x0F 0xB4 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158307d3e4@980d2e43f2c8 0x47 0xE3 0x01 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x47 0x84 0x66 0x95 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0E 0x6B 0x05 0x66 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x99 0x05 0x30 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x57 0xAC 0x03 0xE1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x01 0x5A 0x1D 0x6B ... ---- EOF - GMER 2.1 ----