GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-25 22:21:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD1600JS-22MHB0 rev.02.01C03 149,05GB Running: hcx9x50y.exe; Driver: C:\Users\user\AppData\Local\Temp\awlcaaob.sys ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001099e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001099c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800109a614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800109aa10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800109a86c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedEnableErrorSource] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedSetErrorSourceInfo] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedDisableErrorSource] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedGetInjectionCapabilities] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedInjectError] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedFinalizeErrorRecord] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedBugCheckSystem] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedAttemptErrorRecovery] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedWriteErrorRecord] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedFreeMemory] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedClearErrorRecord] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedIsSystemWheaEnabled] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedInitialize] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedReadErrorRecord] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedAllocateMemory] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedGetBootErrorPacket] [?] IAT C:\Windows\system32\ntoskrnl.exe[PSHED.dll!PshedGetAllErrorSources] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalIsHyperThreadingEnabled] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalEnumerateProcessors] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalQueryMaximumProcessorCount] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalStartNextProcessor] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalRegisterDynamicProcessor] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalStartDynamicProcessor] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalInitializeProcessor] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalSendSoftwareInterrupt] [ffe60fe8fff81fc4] [unknown section] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalCalibratePerformanceCounter] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!KeStallExecutionProcessor] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalEnableInterrupt] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalRequestClockInterrupt] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalSetProfileInterval] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalStartProfileInterrupt] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalStopProfileInterrupt] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalHandleNMI] [f0d975c085483043] [unknown section] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalPerformEndOfInterrupt] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalRequestSoftwareInterrupt] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalHandleMcheck] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalRequestIpi] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalDisableInterrupt] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!KeFlushWriteBuffer] [ff412aebed3345e7] [unknown section] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalGetInterruptTargetInformation] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalInitializeOnResume] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalProcessorIdle] [f5e8cd8b410a7440] [unknown section] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalAllocateCrashDumpRegisters] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalSetTimeIncrement] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalGetEnvironmentVariable] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalSetEnvironmentVariable] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalGetEnvironmentVariableEx] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalSetEnvironmentVariableEx] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalEnumerateEnvironmentVariablesEx] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalQueryEnvironmentVariableInfoEx] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalSetRealTimeClock] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalSetBusDataByOffset] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalGetBusDataByOffset] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalReturnToFirmware] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalGetProcessorIdByNtNumber] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalTranslateBusAddress] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalGetMessageRoutingInfo] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalGetVectorInput] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalRegisterErrataCallbacks] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!KeQueryPerformanceCounter] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalRequestDeferredRecoveryServiceInterrupt] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalAllProcessorsStarted] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalInitSystem] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalQueryRealTimeClock] [?] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalInitializeBios] [f04f740000022886] [unknown section] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalReportResourceUsage] [fb3b480030678348] [unknown section] IAT C:\Windows\system32\ntoskrnl.exe[HAL.dll!HalSendNMI] [?] IAT C:\Windows\system32\ntoskrnl.exe[KDCOM.dll!KdD3Transition] [?] IAT C:\Windows\system32\ntoskrnl.exe[KDCOM.dll!KdD0Transition] [?] IAT C:\Windows\system32\ntoskrnl.exe[KDCOM.dll!KdReceivePacket] [?] IAT C:\Windows\system32\ntoskrnl.exe[KDCOM.dll!KdSendPacket] [?] IAT C:\Windows\system32\ntoskrnl.exe[KDCOM.dll!KdRestore] [?] IAT C:\Windows\system32\ntoskrnl.exe[KDCOM.dll!KdSave] [?] IAT C:\Windows\system32\ntoskrnl.exe[KDCOM.dll!KdDebuggerInitialize0] [?] IAT C:\Windows\system32\ntoskrnl.exe[KDCOM.dll!KdDebuggerInitialize1] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsAdvanceLogBase] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsMgmtTailAdvanceFailure] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsPrivGetBaseLogFileFromFileObjectPointer] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsMgmtHandleLogFileFull] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsLsnGreater] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsReserveAndAppendLogAligned] [f98b490a048d4830] [unknown section] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsMgmtSetLogFileSize] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsLsnDifference] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsAddLogContainer] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsCreateMarshallingArea] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsLsnLess] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsLsnContainer] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsFlushToLsn] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsLsnInvalid] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsGetLogFileInformation] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsMgmtDeregisterManagedClient] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsCloseLogFileObject] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsMgmtInstallPolicy] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsMgmtRegisterManagedClient] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsCreateLogFile] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!CLFS_LSN_INVALID] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsLsnEqual] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsReadLogRecord] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsReadNextLogRecord] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsTerminateReadLog] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsWriteRestartArea] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsDeleteLogByPointer] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsDeleteMarshallingArea] [fdb15fe8c52b45d0] [unknown section] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!CLFS_LSN_NULL] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsReserveAndAppendLog] [?] IAT C:\Windows\system32\ntoskrnl.exe[CLFS.SYS!ClfsReadRestartArea] [?] IAT C:\Windows\system32\ntoskrnl.exe[CI.dll!CiInitialize] [f83c67058d4c1973] [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-3 fffffa80036a32c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80036a32c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-5 fffffa80036a32c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80036a32c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80036a32c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80036a32c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80036a32c0 Device \Driver\a14x7pgn \Device\Scsi\a14x7pgn1Port4Path0Target0Lun0 fffffa8004c402c0 Device \Driver\a14x7pgn \Device\Scsi\a14x7pgn1 fffffa8004c402c0 Device \FileSystem\Ntfs \Ntfs fffffa80036a72c0 Device \FileSystem\fastfat \Fat fffffa8005b672c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa8004b912c0 Device \Driver\USBSTOR \Device\00000074 fffffa800592e2c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8004b912c0 Device \Driver\cdrom \Device\CdRom0 fffffa80048732c0 Device \Driver\cdrom \Device\CdRom1 fffffa80048732c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa8004bac2c0 Device \Driver\USBSTOR \Device\00000075 fffffa800592e2c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8004b912c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa8004b912c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1D2A6BF5-B753-4206-9464-D704E03A609D} fffffa80049072c0 Device \Driver\USBSTOR \Device\00000076 fffffa800592e2c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa8004b912c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8004b912c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80049072c0 Device \Driver\USBSTOR \Device\00000077 fffffa800592e2c0 Device \Driver\usbehci \Device\USBPDO-4 fffffa8004bac2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80036a32c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa8004b912c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8004b912c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80036a32c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80036a32c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A4301BA0-BB6F-4DE3-BE6A-1C1199D0580C} fffffa80049072c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80036a32c0 Device \Driver\a14x7pgn \Device\ScsiPort4 fffffa8004c402c0 Device \Driver\USBSTOR \Device\0000006e fffffa800592e2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ntoskrnl.exe >>UNKNOWN [0xfffffa80036a32c0]<< sptd.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80036a32c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80043c9130] fffffa80043c9130 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa80040c4670] fffffa80040c4670 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80040dd060] fffffa80040dd060 Trace \Driver\atapi[0xfffffa80040bde70] -> IRP_MJ_CREATE -> 0xfffffa80036a32c0 fffffa80036a32c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\a14x7pgn.SYS fffff88005573000-fffff880055b8000 (282624 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD7 0xF1 0x76 0x35 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC8 0x3A 0xBB 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4C 0xDA 0x37 0x38 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD7 0xF1 0x76 0x35 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC8 0x3A 0xBB 0x5D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4C 0xDA 0x37 0x38 ... ---- EOF - GMER 2.1 ----