GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-03 21:41:26 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0001SDM1 465,76GB Running: 0ri421x6.exe; Driver: C:\Users\Robert\AppData\Local\Temp\awrdypob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031f3000 63 bytes [00, 00, 51, 02, 54, 68, 72, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff800031f3042 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000071cb1a22 2 bytes [CB, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000071cb1ad0 2 bytes [CB, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000071cb1b08 2 bytes [CB, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000071cb1bba 2 bytes [CB, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1960] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000071cb1bda 2 bytes [CB, 71] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075241465 2 bytes [24, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752414bb 2 bytes [24, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6608] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076af103d 5 bytes JMP 0000000171d7eb60 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6608] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000076b09aa4 5 bytes JMP 0000000171d7feb0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6608] C:\Windows\syswow64\kernel32.dll!MoveFileExW 0000000076b09b05 5 bytes JMP 0000000171d7ff40 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[6608] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000076b13b62 5 bytes JMP 0000000171d80070 .text D:\Program Files (x86)\Holdem Manager 2\HudFuncsApp.exe[8392] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076af4925 6 bytes JMP 5f080f5a .text D:\Program Files (x86)\Holdem Manager 2\HudFuncsApp.exe[8392] C:\Windows\syswow64\USER32.dll!GetClientRect 0000000075080c62 6 bytes JMP 5f120f5a .text D:\Program Files (x86)\Holdem Manager 2\HudFuncsApp.exe[8392] C:\Windows\syswow64\USER32.dll!DrawTextW 00000000750825cf 6 bytes JMP 5f180f5a .text D:\Program Files (x86)\Holdem Manager 2\HudFuncsApp.exe[8392] C:\Windows\syswow64\USER32.dll!GetScrollInfo 0000000075084018 6 bytes JMP 5f0f0f5a .text D:\Program Files (x86)\Holdem Manager 2\HudFuncsApp.exe[8392] C:\Windows\syswow64\GDI32.dll!CreateCompatibleDC 00000000770954f4 6 bytes JMP 5f1b0f5a .text D:\Program Files (x86)\Holdem Manager 2\HudFuncsApp.exe[8392] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770958b3 6 bytes JMP 5f1e0f5a .text D:\Program Files (x86)\Holdem Manager 2\HudFuncsApp.exe[8392] C:\Windows\syswow64\GDI32.dll!ExtTextOutW 0000000077098b7a 6 bytes JMP 5f150f5a .text D:\Program Files (x86)\Holdem Manager 2\HudFuncsApp.exe[8392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075241465 2 bytes [24, 75] .text D:\Program Files (x86)\Holdem Manager 2\HudFuncsApp.exe[8392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752414bb 2 bytes [24, 75] .text ... * 2 .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000076af48f3 5 bytes JMP 0000000110003790 .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000076af4925 6 bytes JMP 5f080f5a .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\user32.DLL!GetClientRect 0000000075080c62 6 bytes JMP 5f120f5a .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\user32.DLL!DrawTextExW 000000007508149e 5 bytes JMP 00000001100037d0 .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\user32.DLL!DrawTextW 00000000750825cf 6 bytes JMP 5f180f5a .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\user32.DLL!GetScrollInfo 0000000075084018 6 bytes JMP 5f0f0f5a .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\GDI32.dll!CreateCompatibleDC 00000000770954f4 6 bytes JMP 5f1b0f5a .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000770958b3 6 bytes JMP 5f1e0f5a .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000077095ea6 5 bytes JMP 0000000110003910 .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\GDI32.dll!ExtTextOutW 0000000077098b7a 6 bytes JMP 5f150f5a ? C:\Windows\system32\mssprxy.dll [19048] entry point in ".rdata" section 0000000073c171e6 .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075241465 2 bytes [24, 75] .text C:\Titan Poker\casino.exe[19048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752414bb 2 bytes [24, 75] .text ... * 2 .text D:\Program Files (x86)\Holdem Manager 2\ThirtyTwoBitIPC.exe[6592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075241465 2 bytes [24, 75] .text D:\Program Files (x86)\Holdem Manager 2\ThirtyTwoBitIPC.exe[6592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752414bb 2 bytes [24, 75] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e5436cbf0f Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD4 0xE9 0xF6 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2B 0xF0 0x88 0x7E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74e5436cbf0f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD4 0xE9 0xF6 0x7B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2B 0xF0 0x88 0x7E ... ---- EOF - GMER 2.1 ----