GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-19 19:44:10 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\0000006b ST1000DM rev.CC47 931,51GB Running: sxtvvtti.exe; Driver: C:\Users\ja\AppData\Local\Temp\uglcyaoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff8800554fc34 12 bytes {MOV RAX, 0xfffffa8006e102a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text D:\Programy Files\Bluetooth\btwdins.exe[1748] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text C:\Windows\Explorer.EXE[2204] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text D:\Programy Files\Bluetooth\BTTray.exe[3128] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text D:\Programy Files\Bluetooth\BtStackServer.exe[3276] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007756f1bd 1 byte [62] .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3404] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000765bb0c5 1 byte [62] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3436] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000765bb0c5 1 byte [62] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3264] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000765bb0c5 1 byte [62] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4392] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000765bb0c5 1 byte [62] .text C:\Users\ja\Desktop\sxtvvtti.exe[508] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000765bb0c5 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff88001088650] \SystemRoot\System32\Drivers\spuo.sys [unknown section] IAT C:\Windows\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010885dc] \SystemRoot\System32\Drivers\spuo.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800105335c] \SystemRoot\System32\Drivers\spuo.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001053224] \SystemRoot\System32\Drivers\spuo.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001053a24] \SystemRoot\System32\Drivers\spuo.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001053ba0] \SystemRoot\System32\Drivers\spuo.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80049c02c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8006e0e2c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa80049bc2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8006c122c0 Device \Driver\iaStorA \Device\0000006b fffffa80049bc2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8006e0e2c0 Device \Driver\iaStorA \Device\0000006c fffffa80049bc2c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80049b42c0 Device \Driver\volmgr \Device\FtControl fffffa80049b42c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80049b42c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80049b42c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80049b42c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{46D30596-D57A-4F36-858E-EB3911063351} fffffa8006d6d2c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa80049b42c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8006d6d2c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa80049bc2c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8006e0e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{81AD5B6C-36DD-4DAC-8D04-BAD0CF330341} fffffa8006d6d2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8006e0e2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys >>UNKNOWN [0xfffffa80049bc2c0]<< spuo.sys storport.sys hal.dll iaStorA.sys fffffa80049bc2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006b14060] fffffa8006b14060 Trace 3 CLASSPNP.SYS[fffff880019a443f] -> nt!IofCallDriver -> [0xfffffa8004d49c50] fffffa8004d49c50 Trace 5 iaStorF.sys[fffff88001a4daa4] -> nt!IofCallDriver -> \Device\0000006b[0xfffffa8004ba4060] fffffa8004ba4060 Trace \Driver\iaStorA[0xfffffa8004b7d060] -> IRP_MJ_CREATE -> 0xfffffa80049bc2c0 fffffa80049bc2c0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2204] (GG drive overlay/GG Network S.A.)(2013-11-15 21:48:45) 000000005c080000 Library C:\Users\ja\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2204] (GG drive menu/GG Network S.A.)(2013-10-3 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x70 0x2E 0xE8 0x3B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x70 0x2E 0xE8 0x3B ... ---- EOF - GMER 2.1 ----