GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-20 23:14:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: kh1gjygp.exe; Driver: C:\Users\Bartek\AppData\Local\Temp\awrdipob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800025f0000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800025f002f 18 bytes [00, 00, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff8800384bd8c 12 bytes {MOV RAX, 0xfffffa8006d8f2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1764] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072df1a22 2 bytes [DF, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1764] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072df1ad0 2 bytes [DF, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1764] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072df1b08 2 bytes [DF, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1764] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072df1bba 2 bytes [DF, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[1764] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072df1bda 2 bytes [DF, 72] .text F:\utorrent\uTorrent.exe[4336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075651465 2 bytes [65, 75] .text F:\utorrent\uTorrent.exe[4336] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756514bb 2 bytes [65, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b0f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b0cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b169c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b1a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b18f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\az89x6jg \Device\Scsi\az89x6jg1 fffffa8006d9f2c0 Device \Driver\az89x6jg \Device\Scsi\az89x6jg1Port1Path0Target0Lun0 fffffa8006d9f2c0 Device \FileSystem\Ntfs \Ntfs fffffa800481f2c0 Device \FileSystem\fastfat \Fat fffffa8007fb72c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006d242c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{3918791C-ACCB-44E0-B499-19AE90EBD040} fffffa8004e8a2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004e542c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004e542c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006d242c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{56CA1144-58B0-4D6F-90EB-E333CD4BDCDF} fffffa8004e8a2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8006d242c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004e8a2c0 Device \Driver\az89x6jg \Device\ScsiPort1 fffffa8006d9f2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006d242c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{C8A6A8AF-2AC5-4C07-A822-F6BBC02149E6} fffffa8004e8a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{46FD47DA-74AC-48EA-910F-8FD1CF40AC29} fffffa8004e8a2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\az89x6jg.SYS fffff8800423c000-fffff88004281000 (282624 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x76 0xF9 0xCF 0x35 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE1 0x1D 0xE8 0x3F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA9 0x38 0xFE 0xA4 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x76 0xF9 0xCF 0x35 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE1 0x1D 0xE8 0x3F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA9 0x38 0xFE 0xA4 ... ---- EOF - GMER 2.1 ----