GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-01 15:59:12 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 SAMSUNG_HM321HI rev.2AJ10001 298,09GB Running: bup6qo5m.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\awddrkog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000f1c00 7 bytes [00, 98, F3, FF, 01, A3, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000f1c08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077351465 2 bytes [35, 77] .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773514bb 2 bytes [35, 77] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000731f1a22 2 bytes [1F, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000731f1ad0 2 bytes [1F, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000731f1b08 2 bytes [1F, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000731f1bba 2 bytes [1F, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1868] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000731f1bda 2 bytes [1F, 73] .text C:\Windows\SysWOW64\PnkBstrB.exe[1992] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000731f1a22 2 bytes [1F, 73] .text C:\Windows\SysWOW64\PnkBstrB.exe[1992] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000731f1ad0 2 bytes [1F, 73] .text C:\Windows\SysWOW64\PnkBstrB.exe[1992] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000731f1b08 2 bytes [1F, 73] .text C:\Windows\SysWOW64\PnkBstrB.exe[1992] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000731f1bba 2 bytes [1F, 73] .text C:\Windows\SysWOW64\PnkBstrB.exe[1992] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000731f1bda 2 bytes [1F, 73] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88000e53e94] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88000e53c38] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88000e54614] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88000e54a10] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88000e5486c] \SystemRoot\System32\Drivers\sptd.sys [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef796741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef7965f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef7965674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef7965e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef7967f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef7966a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef7966ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef7967b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef7967ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef79678b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef7964fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef7965d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2216] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef7967584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa800218a2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800218a2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-5 fffffa800218a2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa800218a2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 fffffa800218a2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa800218a2c0 Device \FileSystem\Ntfs \Ntfs fffffa80021902c0 Device \Driver\usbohci \Device\USBPDO-5 fffffa80035d42c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80035d82c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80035d82c0 Device \Driver\USBSTOR \Device\00000070 fffffa8003fa32c0 Device \Driver\cdrom \Device\CdRom0 fffffa80032112c0 Device \Driver\usbehci \Device\USBPDO-6 fffffa80035d82c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa80035d42c0 Device \Driver\USBSTOR \Device\00000075 fffffa8003fa32c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80035d42c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa80035d42c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6414636A-80F8-4561-B3E3-A68E73DFD93B} fffffa80032752c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa80035d42c0 Device \Driver\USBSTOR \Device\00000076 fffffa8003fa32c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80035d82c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80035d82c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80032752c0 Device \Driver\usbehci \Device\USBFDO-6 fffffa80035d82c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80035d42c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800218a2c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa80035d42c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80035d42c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800218a2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa800218a2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa800218a2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800218a2c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa800218a2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003113420] fffffa8003113420 Trace 3 CLASSPNP.SYS[fffff8800165a43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0xfffffa8002f97680] fffffa8002f97680 Trace \Driver\atapi[0xfffffa8002f6dcb0] -> IRP_MJ_CREATE -> 0xfffffa800218a2c0 fffffa800218a2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x90 0x21 0x66 0xBC ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x90 0x21 0x66 0xBC ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB9 0x84 0x75 0x2A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xED 0xCD 0xFF 0x02 ... ---- Files - GMER 2.1 ---- File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\861C659BDC3968D66D1E579C4E8869AE028E2EC5 0 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\0272A5A2C69571C5979C1DE63FD0EE9E768D1D70 0 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\9FB1734874C1908BADB5CEF13B98A302384BF14C 0 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\66DC2807FC06213FC2C9303635406F7456AF82D3 689 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\6B0A1098E9BF2776031D034969929366724315E0 0 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\62B2CED14420F4A2A3B350891E69770D26B18936 0 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\1E0B037D9D03C9D36E39F4372EF22793FB79A2BD 0 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\8076315173A409EF678A12F5BBF2CDC3DDD94222 0 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\F53F6468A0C4C3478CFEDE9D6B7861EEEA3C0154 0 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\84313E90AE1FAD14B29E2043D3DB2BC2B3A0F307 13205 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\71232A029DC08AFA3C77CDEA75A91911A5374C4B 850 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\57A4352A5F7870C4E6ECA7FA8DD788B44BDBB69E 9125 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\8D1767630C9373327F3B46C2536A632B25EE2E14 13205 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\3A3B4316EE832D6241F70394E06410CCC24AFFAE 14175 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\E0E051930FAED022C17423DBD78408788453FA9C 1352 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\4CAC7527E019EF633EC26718442AF976BE95433A 3115 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\771E12CFC1CD581CD92ABD8A52A3E77941A452A5 20273 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\7A34D294ADE72A9D9E9886C998A96A471D553E0E 11941 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\C7E39436578BEE8CFA088BAD821A7A29C1A4DB86 1085 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\FB26CE299E4547EA5D75FBF72E3DBD8AF9788BF9 21213 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\ABA9ADECDB311362C993331D5A3F59117EFFD007 985 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\84A2FF14A871F3EC892682D26EAD200E95DA6FA8 9125 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\2B2704960D0E0CB3C8B8FD94834B37D2665213F0 2059 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\B46637BF6EE93C08FAB892BA340C74337F2B377F 3915 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\3AB1995D0239044F6F2FD1E22DF5A6B1EF5069A5 1523 bytes File C:\Users\Piotr\AppData\Local\Mozilla\Firefox\Profiles\7eqzjksm.default\cache2\entries\01DDE6BF526CC00275F258B610B464930583504D 678 bytes ---- EOF - GMER 2.1 ----