GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-11 15:24:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2 SAMSUNG_ rev.1AC0 298,09GB Running: m57g1hli.exe; Driver: C:\Users\Deba\AppData\Local\Temp\awlciaog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff8800504cd64 12 bytes {MOV RAX, 0xfffffa8009e5d2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[3676] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074461a22 2 bytes [46, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3676] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074461ad0 2 bytes [46, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3676] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074461b08 2 bytes [46, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3676] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074461bba 2 bytes [46, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[3676] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074461bda 2 bytes [46, 74] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001086f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001086cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800108769c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001087a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010878f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtReadVirtualMemory] [41d80244cf8beed3] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtQueryInformationProcess] [41277fdb8445e1d3] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtOpenFile] [b60f41012454b60f] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtDeviceIoControlFile] [e2c1cbbe0f412404] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!DbgPrompt] [b02c48349d9f708] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!_wcsicmp] [8041ca0b44e2d3d0] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlInitializeSListHead] [8d48f63302eb10c3] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtAlpcOpenSenderThread] [a8848bffff6fc305] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtQueryInformationThread] [41f03c8d00001380] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtQueryValueKey] [803d19e8c1c18b] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlInitUnicodeStringEx] [48c18b4153730000] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtEnumerateKey] [1084be0f4619e8c1] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtOpenKey] [24643b4c00001590] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtAlpcCreatePort] [430000031d830f60] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlCreateBoundaryDescriptor] [4400001610108c8a] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlAddSIDToBoundaryDescriptor] [db8445e1d341d92a] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtOpenPrivateNamespace] [12454b60f41307f] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtCreatePrivateNamespace] [be0f412404b60f41] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtOpenEvent] [8349d9f708e2c1cb] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtCreateEvent] [b44e2d3d00b02c4] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtDeletePrivateNamespace] [450beb10c38041ca] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlDeleteBoundaryDescriptor] [13c42c741c033] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlCreateUserThread] [34124348b480000] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtCreateTimer] [5074c084455cebf8] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtSetTimer] [b9f98b41d0b60f41] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!AlpcInitializeMessageAttribute] [2a45ca2b00000020] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!AlpcGetMessageAttribute] [e1d341ca8befd3d8] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtQuerySystemInformation] [b60f41237fdb8445] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [2404b60f41012454] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtAlpcAcceptConnectPort] [f708e2c1cbbe0f41] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtResetEvent] [d3d00b02c48349d9] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlExitUserThread] [10c38041ca0b44e2] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtOpenProcess] [3ffff6ef9058d48] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlInterlockedFlushSList] [7eb00001380a8bc] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtFreeVirtualMemory] [8b00001380afbc8b] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtAllocateVirtualMemory] [89e968246c] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlLengthRequiredSid] [f417e7603f88341] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlInitializeSid] [41000012503894b6] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlSubAuthoritySid] [2b00000020b9f98b] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlLengthSid] [ca8befd3da2a44ca] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlCreateSecurityDescriptor] [4b7fdb8445e1d341] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlCreateAcl] [f41012454b60f41] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlAddAccessAllowedAce] [c1cbbe0f412404b6] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlSetDaclSecurityDescriptor] [10c38041d9f708e2] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlCreateServiceSid] [e2d302c48349d00b] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlRandomEx] [237fdb8445ca0b44] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!_vsnwprintf] [f41012454b60f41] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtSetValueKey] [c1cbbe0f412404b6] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtQueryPerformanceCounter] [2c48349d9f708e2] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlCompareMemory] [41ca0b44e2d3d00b] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtAlpcImpersonateClientOfPort] [6e66058d4810c380] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlGetCurrentProcessorNumber] [138080bc0342ffff] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtQueueApcThread] [1bf05eb0000] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtDelayExecution] [42894174428b4100] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtWaitForSingleObject] [42894170428b4178] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtSetSystemInformation] [70827c8b4313eb74] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtSetInformationThread] [428b410d74c08545] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtResumeThread] [8941708244894370] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtOpenThread] [1fb8102c383707a] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!EtwLogTraceEvent] [137850f000001] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!DbgPrintEx] [f7c38041c18b4500] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlReleasePrivilege] [17e8c14109e1c141] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlFreeHeap] [b60f41237fdb8445] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlAcquirePrivilege] [2404b60f41012454] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlAllocateHeap] [f708e2c1cbbe0f41] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtQueryTimerResolution] [d3d00b02c48349d9] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!EtwUnregisterTraceGuids] [10c38041ca0b44e2] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!EtwRegisterTraceGuidsW] [ee830f08e0ba0f41] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!EtwGetTraceLoggerHandle] [890fc08445000000] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlInterlockedPushEntrySList] [40c0f6410000009a] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtCancelTimer] [8b413fe083414674] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtSetTimerResolution] [e0c141f7c38041d9] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlVirtualUnwind] [9e1c14117ebc109] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlLookupFunctionEntry] [b60f41237fdb8445] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlCaptureContext] [2404b60f41012454] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtSetEvent] [f708e2c1cbbe0f41] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtClose] [d3d00b02c48349d9] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtWaitForMultipleObjects] [10c38041ca0b44e2] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!RtlNtStatusToDosError] [99e9c30b44] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!memset] [fac380413fe08341] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!memcpy] [45d88b4106e0c141] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[ntdll.dll!__C_specific_handler] [c14106e1c141c18b] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[AVRT.dll!AvSetMmThreadCharacteristicsW] [ff49c6ff49360488] IAT C:\Windows\system32\svchost.exe[1132] @ c:\windows\system32\mmcss.dll[AVRT.dll!AvRevertMmThreadCharacteristics] [2341e97501ea83c0] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa800667f2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800667f2c0 Device \FileSystem\Ntfs \Ntfs fffffa800668b2c0 Device \FileSystem\fastfat \Fat fffffa800ac322c0 Device \Driver\WUDFRd \Device\UMDFCtrlDev-0b013073-ba3b-11e2-b81b-bc5ff4712206 fffff88009f323f4 Device \Driver\WudfPf \Device\WUDFLpcDevice fffff88009f15910 Device \Driver\WPRO_41_2001 \Device\WPRO_41_2001_{46B6CCAC-D4ED-4C9F-BA94-40C40CD5AD97} fffff88009ed4b68 Device \Driver\usbehci \Device\USBPDO-1 fffffa800728b2c0 Device \Driver\secdrv \Device\AscKmd fffff88009ba462c Device \Driver\AsrRamDisk \Device\RaidPort0 fffffa80066872c0 Device \Driver\cdrom \Device\CdRom0 fffffa8009b952c0 Device \FileSystem\srvnet \Device\SrvAdmin fffff88009bc0ed0 Device \FileSystem\srv \Device\LanmanServer fffff88009e7ec60 Device \Driver\WudfPf \Device\HostProcess-be776ca0-86e6-4080-bbc9-2338b7fd237e fffff88009f15910 Device \Driver\usbehci \Device\USBFDO-0 fffffa800728b2c0 Device \FileSystem\srvnet \Device\SrvNet fffff88009bc0ed0 Device \Driver\WudfPf \Device\HostProcess-fb62e979-044b-4fa2-ae19-408feb1b2044 fffff88009f15910 Device \Driver\WudfPf \Device\HostProcess-b4e73166-292f-4969-ac99-94d4b7c35f89 fffff88009f15910 Device \Driver\WudfPf \Device\HostProcess-754cb2b3-e092-419e-a9bc-b89fa044dc3b fffff88009f15910 Device \Driver\usbehci \Device\USBFDO-1 fffffa800728b2c0 Device \Driver\USBSTOR \Device\00000082 fffffa8009bad2c0 Device \Driver\secdrv \Device\Secdrv fffff88009ba462c Device \Driver\NetBT \Device\NetBT_Tcpip_{46B6CCAC-D4ED-4C9F-BA94-40C40CD5AD97} fffffa8009c462c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8009c462c0 Device \Driver\WudfPf \Device\ProcessManagement fffff88009f15910 Device \Driver\usbehci \Device\USBPDO-0 fffffa800728b2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800667f2c0 Device \Driver\USBSTOR \Device\00000083 fffffa8009bad2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa800667f2c0 Device \FileSystem\srv2 \Device\Srv2 fffff88009a445a0 Device \Driver\AsrRamDisk \Device\ScsiPort3 fffffa80066872c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE1 0x93 0xAB 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x53 0x9B 0x62 0xF1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x65 0x17 0x1B 0x5A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE1 0x93 0xAB 0xCE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x53 0x9B 0x62 0xF1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x65 0x17 0x1B 0x5A ... ---- EOF - GMER 2.1 ----