GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-18 12:11:40 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST320LT0 rev.0001 298,09GB Running: 7v1yqfbd.exe; Driver: C:\Users\user\AppData\Local\Temp\awlcaaob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003206000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 574 fffff8000320602e 17 bytes [44, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000777ffaa8 5 bytes JMP 0000000173d0139f .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1916] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077800038 5 bytes JMP 0000000173d019ed ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010e2e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010e2c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010e3614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010e3a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010e386c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 fffffa8004eb72c0 Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 fffffa8004eb72c0 Device \Driver\iaStor \Device\Ide\iaStor0 fffffa8004eb72c0 Device \FileSystem\Ntfs \Ntfs fffffa8004ebd2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007d802c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{DF99A67F-D68B-4C97-8033-0926D8A55515} fffffa8007a7d2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800794c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{3B5F9AC6-C95C-4D8F-B5BB-4B7965F4BA9C} fffffa8007a7d2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8007d802c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007d802c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{EB447A90-8E3B-40E6-8EF3-88A2A6691F9D} fffffa8007a7d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007a7d2c0 Device \Driver\iaStor \Device\ScsiPort0 fffffa8004eb72c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{74E40595-6987-4118-91AA-A2A01955EE17} fffffa8007a7d2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8007d802c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{358B444E-DD88-4A6C-A88D-E9A1F6135FAC} fffffa8007a7d2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8004eb72c0]<< sptd.sys iaStor.sys hal.dll fffffa8004eb72c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007751060] fffffa8007751060 Trace 3 CLASSPNP.SYS[fffff88001e8b43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80058e4050] fffffa80058e4050 Trace \Driver\iaStor[0xfffffa8005893690] -> IRP_MJ_CREATE -> 0xfffffa8004eb72c0 fffffa8004eb72c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [568:1296] 000007fefad259a0 Thread C:\Windows\System32\svchost.exe [568:2988] 000007fefce61a70 Thread C:\Windows\System32\svchost.exe [568:4656] 000007fef85c88f8 Thread C:\Windows\System32\svchost.exe [568:4932] 000007fef7ff44e0 Thread C:\Windows\system32\svchost.exe [1152:3964] 000007fef26783d8 Thread C:\Windows\system32\svchost.exe [1152:3960] 000007fef26783d8 Thread C:\Windows\system32\svchost.exe [1152:1492] 000007fef2553f1c Thread C:\Windows\system32\svchost.exe [1152:1516] 000007fef2521a38 Thread C:\Windows\system32\svchost.exe [1152:3336] 000007fef2325388 Thread C:\Windows\system32\svchost.exe [1152:3280] 000007fef2307738 Thread C:\Windows\system32\svchost.exe [1152:3136] 000007fef22f1f90 Thread C:\Windows\system32\svchost.exe [1152:4484] 000007fef94f5170 Thread C:\Windows\system32\svchost.exe [1260:1440] 000007fefce61a70 Thread C:\Windows\system32\svchost.exe [1260:1448] 000007fefce61a70 Thread C:\Windows\system32\svchost.exe [1260:1504] 000007fefce61a70 Thread C:\Windows\system32\svchost.exe [1260:1552] 000007fef9ea2c70 Thread C:\Windows\system32\svchost.exe [1260:1564] 000007fef9eafb40 Thread C:\Windows\system32\svchost.exe [1260:1576] 000007fef9ec1d20 Thread C:\Windows\system32\svchost.exe [1260:1580] 000007fef9eaf6f0 Thread C:\Windows\system32\svchost.exe [1260:2140] 000007fef87335c0 Thread C:\Windows\system32\svchost.exe [1260:3064] 000007fef8735600 Thread C:\Windows\system32\svchost.exe [1260:2280] 000007fef5c92888 Thread C:\Windows\system32\svchost.exe [1260:2284] 000007fef5c82940 Thread C:\Windows\system32\svchost.exe [1260:1632] 000007fef5c92a40 Thread C:\Windows\System32\spoolsv.exe [1380:1796] 000007fef97f10c8 Thread C:\Windows\System32\spoolsv.exe [1380:1872] 000007fef9186144 Thread C:\Windows\System32\spoolsv.exe [1380:1876] 000007fef8f75fd0 Thread C:\Windows\System32\spoolsv.exe [1380:1880] 000007fef8f63438 Thread C:\Windows\System32\spoolsv.exe [1380:1884] 000007fef8f763ec Thread C:\Windows\System32\spoolsv.exe [1380:1892] 000007fef9885e5c Thread C:\Windows\System32\spoolsv.exe [1380:1976] 000007fef98b5074 Thread C:\Windows\System32\spoolsv.exe [1380:2316] 000007fef9848760 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00150079fe36 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4c80933836db Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0xDA 0x78 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0xF7 0x38 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00150079fe36 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4c80933836db (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0xDA 0x78 0xF7 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0xF7 0x38 0x69 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ ---- EOF - GMER 2.1 ----