GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-08 20:51:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000071 TOSHIBA_ rev.GT00 298,09GB Running: l9zhkvzo.exe; Driver: C:\Users\MACIEJ~1\AppData\Local\Temp\afryquod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880053c0d64 12 bytes {MOV RAX, 0xfffffa80068e32a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000759b1465 2 bytes [9B, 75] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[4088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759b14bb 2 bytes [9B, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000759b1465 2 bytes [9B, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759b14bb 2 bytes [9B, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007799f991 7 bytes {MOV EDX, 0x92b228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007799fbd5 7 bytes {MOV EDX, 0x92b268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007799fc05 7 bytes {MOV EDX, 0x92b1a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007799fc1d 7 bytes {MOV EDX, 0x92b128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007799fc35 7 bytes {MOV EDX, 0x92b328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007799fc65 7 bytes {MOV EDX, 0x92b368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007799fce5 7 bytes {MOV EDX, 0x92b2e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007799fcfd 7 bytes {MOV EDX, 0x92b2a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007799fd49 7 bytes {MOV EDX, 0x92b068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007799fe41 7 bytes {MOV EDX, 0x92b0a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000779a0099 7 bytes {MOV EDX, 0x92b028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779a10a5 7 bytes {MOV EDX, 0x92b1e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000779a111d 7 bytes {MOV EDX, 0x92b168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1872] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000779a1321 7 bytes {MOV EDX, 0x92b0e8; JMP RDX} .text C:\Users\Maciej Nawrocki\Downloads\OTL.com[3412] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 00000000759b1465 2 bytes [9B, 75] .text C:\Users\Maciej Nawrocki\Downloads\OTL.com[3412] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000759b14bb 2 bytes [9B, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001070f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001070cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107169c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001071a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010718f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8005dc52c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80069052c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80069052c0 Device \Driver\amd_sata \Device\RaidPort0 fffffa8005dbf2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80066b52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{F2E5FCB0-1236-4284-9A6F-42C08E62AE49} fffffa80067c22c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80068f82c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa80068f82c0 Device \Driver\amd_sata \Device\00000071 fffffa8005dbf2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{96345521-D3C4-4C79-A284-E851EF70BC6E} fffffa80067c22c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80069052c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80069052c0 Device \Driver\amd_sata \Device\00000072 fffffa8005dbf2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80067c22c0 Device \Driver\amd_sata \Device\ScsiPort0 fffffa8005dbf2c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa80068f82c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80068f82c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8005dc12c0]<< sptd.sys amd_xata.sys storport.sys hal.dll amd_sata.sys fffffa8005dc12c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80063d0590] fffffa80063d0590 Trace 3 CLASSPNP.SYS[fffff88001b7643f] -> nt!IofCallDriver -> [0xfffffa8005ebf040] fffffa8005ebf040 Trace \Driver\amd_xata[0xfffffa8005eab930] -> IRP_MJ_CREATE -> 0xfffffa8005dc12c0 fffffa8005dc12c0 Trace 5 amd_xata.sys[fffff88000c648b4] -> nt!IofCallDriver -> \Device\00000071[0xfffffa8005ebb060] fffffa8005ebb060 Trace \Driver\amd_sata[0xfffffa8005eab060] -> IRP_MJ_CREATE -> 0xfffffa8005dbf2c0 fffffa8005dbf2c0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3232:3596] 0000000071c7102d Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3232:3804] 000000007193f1dc Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3232:4000] 000000007193f1dc Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3232:4004] 00000000719355d3 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3232:228] 0000000071c1c159 ---- EOF - GMER 2.1 ----