GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-17 20:50:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BEVT-80A0RT1 rev.01.01A01 465,76GB Running: glpex3px.exe; Driver: C:\Users\PATATA~1\AppData\Local\Temp\awtcikog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003008000 45 bytes [00, 00, 22, 02, 4D, 6D, 43, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff8000300802f 16 bytes [00, 0C, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Users\patatashka\AppData\Local\Screamer Radio\screamer.exe[12356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f61465 2 bytes [F6, 76] .text C:\Users\patatashka\AppData\Local\Screamer Radio\screamer.exe[12356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f614bb 2 bytes [F6, 76] .text ... * 2 .text C:\Users\patatashka\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[13092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f61465 2 bytes [F6, 76] .text C:\Users\patatashka\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe[13092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f614bb 2 bytes [F6, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001048e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001048c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001049614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001049a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800104986c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8003b242c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003b242c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003b242c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa8003b242c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa8003b242c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa8003b242c0 Device \Driver\JMCR \Device\Scsi\JMCR3Port6Path0TargetffLun0 fffffa80052f32c0 Device \Driver\JMCR \Device\Scsi\JMCR2Port5Path0TargetffLun0 fffffa80052f32c0 Device \Driver\JMCR \Device\Scsi\JMCR4Port7Path0TargetffLun0 fffffa80052f32c0 Device \Driver\JMCR \Device\Scsi\JMCR1Port4Path0TargetffLun0 fffffa80052f32c0 Device \Driver\JMCR \Device\Scsi\JMCR1 fffffa80052f32c0 Device \Driver\JMCR \Device\Scsi\JMCR2 fffffa80052f32c0 Device \Driver\JMCR \Device\Scsi\JMCR3 fffffa80052f32c0 Device \Driver\JMCR \Device\Scsi\JMCR4 fffffa80052f32c0 Device \FileSystem\Ntfs \Ntfs fffffa80044662c0 Device \FileSystem\fastfat \Fat fffffa800b21c2c0 Device \Driver\JMCR \Device\ScsiPort7 fffffa80052f32c0 Device \Driver\USBSTOR \Device\0000008a fffffa800904d2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80052902c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004d6f2c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004d6f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{25334E9C-4CE6-4572-A5D7-26009ED7CA86} fffffa80050792c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{FAFAAFA4-7845-40D2-8654-8FDC25C97094} fffffa80050792c0 Device \Driver\USBSTOR \Device\0000008b fffffa800904d2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80052902c0 Device \Driver\USBSTOR \Device\00000089 fffffa800904d2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{5A2EE2ED-CBCE-4D15-A3F2-977E8A8FC431} fffffa80050792c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{087EF09C-AFF1-483F-86D0-64743B4C2DF0} fffffa80050792c0 Device \Driver\USBSTOR \Device\0000008c fffffa800904d2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80052902c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80050792c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003b242c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80052902c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003b242c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8003b242c0 Device \Driver\atapi \Device\ScsiPort3 fffffa8003b242c0 Device \Driver\JMCR \Device\ScsiPort4 fffffa80052f32c0 Device \Driver\JMCR \Device\ScsiPort5 fffffa80052f32c0 Device \Driver\JMCR \Device\ScsiPort6 fffffa80052f32c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003b242c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa8003b242c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c8d060] fffffa8004c8d060 Trace 3 CLASSPNP.SYS[fffff880013af43f] -> nt!IofCallDriver -> [0xfffffa80048b87f0] fffffa80048b87f0 Trace 5 ACPI.sys[fffff8800116f7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80049d7680] fffffa80049d7680 Trace \Driver\atapi[0xfffffa8004984370] -> IRP_MJ_CREATE -> 0xfffffa8003b242c0 fffffa8003b242c0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2164] 0000000077c73e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2180] 0000000077c72e65 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2288] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2300] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2304] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2312] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2316] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2360] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2364] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2368] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2372] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2376] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2720] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2716] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2724] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2736] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2740] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2748] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2756] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2760] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2768] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:2780] 0000000077c73e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:6108] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:12928] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:4156] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:13116] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:13144] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:5344] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:11892] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:5236] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:11480] 00000000746d29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1932:12524] 00000000746d29e1 ---- Processes - GMER 2.1 ---- Process C:\Users\patatashka\AppData\Local\Screamer Radio\screamer.exe (*** suspicious ***) @ C:\Users\patatashka\AppData\Local\Screamer Radio\screamer.exe [12356] (Screamer Radio/Steamcore.se)(2010-11-20 14:58:08) 0000000000400000 Library C:\Users\patatashka\AppData\Local\Screamer Radio\iconv.dll (*** suspicious ***) @ C:\Users\patatashka\AppData\Local\Screamer Radio\screamer.exe [12356] (LGPLed libiconv for Windows NT/2000/XP and Windows 95/98/ME/Free Software Foundation)(2007-01-17 22:52:02) 0000000010000000 Library C:\Users\patatashka\AppData\Local\Screamer Radio\bass.dll (*** suspicious ***) @ C:\Users\patatashka\AppData\Local\Screamer Radio\screamer.exe [12356] (BASS/Un4seen Developments)(2010-06-17 11:31:40) 0000000011000000 Library C:\Users\patatashka\AppData\Local\Screamer Radio\basswma.dll (*** suspicious ***) @ C:\Users\patatashka\AppData\Local\Screamer Radio\screamer.exe [12356] (BASSWMA/Un4seen Developments)(2010-09-17 11:28:26) 0000000010100000 Library C:\Users\patatashka\AppData\Local\Screamer Radio\bass_aac.dll (*** suspicious ***) @ C:\Users\patatashka\AppData\Local\Screamer Radio\screamer.exe [12356] (Advanced Audio Coding and MPEG-4 add-on for the BASS library/MaresWEB)(2009-02-27 13:52:50) 0000000002390000 Library C:\Users\patatashka\AppData\Local\Screamer Radio\lame_enc.dll (*** suspicious ***) @ C:\Users\patatashka\AppData\Local\Screamer Radio\screamer.exe [12356](2010-03-23 08:05:18) 00000000706a0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167c9c175 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167c9c175@000d44beb983 0xEA 0xC4 0x34 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167c9c175@980d2e41e8d6 0xBF 0x04 0x9A 0x1B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167c9c175 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167c9c175@000d44beb983 0xEA 0xC4 0x34 0xE6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167c9c175@980d2e41e8d6 0xBF 0x04 0x9A 0x1B ... ---- EOF - GMER 2.1 ----