GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-10 13:15:00 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543225L9A300 rev.FBEOC40C 232,89GB Running: hl7x9wqr.exe; Driver: C:\Users\Jarek\AppData\Local\Temp\kwddykog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88003e6bc34 12 bytes {MOV RAX, 0xfffffa80049832a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[1828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 .text C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe[1868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[2468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[2516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 .text C:\Users\Jarek\AppData\Roaming\minerd\bfgminer.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Users\Jarek\AppData\Roaming\minerd\bfgminer.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Windows\SysWOW64\rundll32.exe[2692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[3360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[3360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 .text C:\Users\Jarek\Downloads\hl7x9wqr.exe[3568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074e51465 2 bytes [E5, 74] .text C:\Users\Jarek\Downloads\hl7x9wqr.exe[3568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074e514bb 2 bytes [E5, 74] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001048ed8] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001048c7c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001049658] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001049a54] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010498b0] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80036a32c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80036a32c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80036a32c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 fffffa80036a32c0 Device \Driver\awexo72l \Device\Scsi\awexo72l1 fffffa800493a2c0 Device \Driver\awexo72l \Device\Scsi\awexo72l1Port2Path0Target0Lun0 fffffa800493a2c0 Device \FileSystem\Ntfs \Ntfs fffffa80036a72c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80049422c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6CBF67F5-8FF0-4982-AEC8-94D1F53736EF} fffffa80047692c0 Device \Driver\cdrom \Device\CdRom0 fffffa80046892c0 Device \Driver\cdrom \Device\CdRom1 fffffa80046892c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa800497d2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80049422c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80047692c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{438633F6-CB07-4F69-A137-08DA1381175D} fffffa80047692c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80036a32c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa800497d2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80036a32c0 Device \Driver\awexo72l \Device\ScsiPort2 fffffa800493a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{151F621E-0403-4EEF-865F-A609C0DD3AD2} fffffa80047692c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80036a32c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80036a32c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045f5060] fffffa80045f5060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa8003656e40] fffffa8003656e40 Trace 5 ACPI.sys[fffff8800118f781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800448e060] fffffa800448e060 Trace \Driver\atapi[0xfffffa8004488e70] -> IRP_MJ_CREATE -> 0xfffffa80036a32c0 fffffa80036a32c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\awexo72l.SYS fffff88004000000-fffff8800404d000 (315392 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3C 0xFD 0xD4 0xB1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE3 0x17 0x1F 0xF9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD4 0xF8 0x4F 0xA6 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3C 0xFD 0xD4 0xB1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE3 0x17 0x1F 0xF9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD4 0xF8 0x4F 0xA6 ... ---- EOF - GMER 2.1 ----