GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-09-07 20:13:46 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000063 SAMSUNG_ rev.FH10 232,88GB Running: m57g1hli.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uwddakob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031f2000 64 bytes [00, 00, 1C, 02, 41, 66, 64, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff800031f2042 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[2004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072171a22 2 bytes [17, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072171ad0 2 bytes [17, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072171b08 2 bytes [17, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072171bba 2 bytes [17, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2004] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072171bda 2 bytes [17, 72] .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.218\deploy\LoLLauncher.exe[4008] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076181072 5 bytes JMP 000000016a1f4790 ? C:\Windows\system32\mssprxy.dll [2864] entry point in ".rdata" section 00000000735f71e6 .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.105\deploy\LolClient.exe[4020] C:\Windows\syswow64\kernel32.dll!CreateFileW 0000000076183f1c 5 bytes JMP 000000016ef14a40 .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.105\deploy\LolClient.exe[4020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.105\deploy\LolClient.exe[4020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\Users\Admin\Downloads\OTL.scr[2844] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\Users\Admin\Downloads\OTL.scr[2844] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b2e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b2c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b3614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010b3a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b386c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80024952c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80024952c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80024952c0 Device \FileSystem\Ntfs \Ntfs fffffa800249b2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80038232c0 Device \Driver\nvstor \Device\RaidPort0 fffffa80024972c0 Device \Driver\cdrom \Device\CdRom0 fffffa80032662c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80038192c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80038232c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2FFC4BF3-8FAA-43CB-8D45-C009A7F7A0F1} fffffa80033a12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{077712BB-341E-4C56-9FB9-501727AC5A41} fffffa80033a12c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80033a12c0 Device \Driver\nvstor \Device\00000063 fffffa80024972c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80024952c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80038192c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80024952c0 Device \Driver\StarPortLite \Device\StarPortLite fffffa80037a52c0 Device \Driver\nvstor \Device\ScsiPort2 fffffa80024972c0 Device \Driver\StarPortLite \Device\ScsiPort3 fffffa80037a52c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80024972c0]<< sptd.sys storport.sys hal.dll nvstor.sys fffffa80024972c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003118530] fffffa8003118530 Trace 3 CLASSPNP.SYS[fffff88001a0443f] -> nt!IofCallDriver -> [0xfffffa80024f1e40] fffffa80024f1e40 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\00000063[0xfffffa8002ec09c0] fffffa8002ec09c0 Trace \Driver\nvstor[0xfffffa8002457e70] -> IRP_MJ_CREATE -> 0xfffffa80024972c0 fffffa80024972c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\notepad.exe [1212:1652] 0000000000220000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6F 0x84 0xBE 0xB2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6F 0x84 0xBE 0xB2 ... ---- EOF - GMER 2.1 ----