GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-06 19:58:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 MAXTOR_STM3500320AS rev.MX1A 465,76GB Running: fk5iu5yj.exe; Driver: C:\Users\Henry\AppData\Local\Temp\fwddipob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004228d64 12 bytes {MOV RAX, 0xfffffa80051432a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075441465 2 bytes [44, 75] .text C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe[1968] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754414bb 2 bytes [44, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880012b10c0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880012b0e4c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880012b1838] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880012b0600] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880012b1a8c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort4 fffffa80039aa2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80039aa2c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80039aa2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80039aa2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 fffffa80039aa2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80039aa2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80039aa2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80039aa2c0 Device \FileSystem\Ntfs \Ntfs fffffa80039ae2c0 Device \FileSystem\fastfat \Fat fffffa80064d22c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa80052932c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa80051412c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80052932c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80051412c0 Device \Driver\USBSTOR \Device\00000070 fffffa8005a862c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004bd42c0 Device \Driver\USBSTOR \Device\0000006f fffffa8005a862c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa80051412c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa80051412c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80051412c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa80051412c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa80052932c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa80051412c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80052932c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80051412c0 Device \Driver\USBSTOR \Device\0000006d fffffa8005a862c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80046cb2c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa80051412c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa80051412c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa80051412c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80039aa2c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80051412c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80039aa2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{7DEAD7D9-182C-4D7B-912E-7B200565FB98} fffffa80046cb2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80039aa2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80039aa2c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80039aa2c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80039aa2c0 Device \Driver\USBSTOR \Device\0000006e fffffa8005a862c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80039aa2c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80039aa2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80046a7060] fffffa80046a7060 Trace 3 CLASSPNP.SYS[fffff88001a1243f] -> nt!IofCallDriver -> [0xfffffa8004450520] fffffa8004450520 Trace 5 ACPI.sys[fffff8800123a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8004451680] fffffa8004451680 Trace \Driver\atapi[0xfffffa80043ca730] -> IRP_MJ_CREATE -> 0xfffffa80039aa2c0 fffffa80039aa2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 ---- EOF - GMER 2.1 ----