GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-26 19:04:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD103SJ rev.1AJ10001 931,51GB Running: 2rsx32we.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\awrdrkog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003804000 58 bytes [D9, F9, FF, 48, 89, 05, 01, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 587 fffff8000380403b 11 bytes [3B, C5, 74, 18, 48, 8D, 94, ...] PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff88000fd24a0 12 bytes {MOV RAX, 0xfffffa80043c92a0; JMP RAX} .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88003e28d8c 12 bytes {MOV RAX, 0xfffffa8004b5a2a0; JMP RAX} .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff96000144b94 8 bytes [2C, 06, 10, 04, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000173e00 7 bytes [00, 96, F3, FF, 01, A1, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000173e08 3 bytes [C0, 06, 02] .text ... * 106 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 404 fffff96000232b28 6 bytes {JMP QWORD [RIP-0xba4d6]} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[652] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\lsass.exe[712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\System32\svchost.exe[280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1160] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\Explorer.EXE[1708] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Program Files (x86)\Western Digital\WD Smartware\Front Parlor\WDFME\WDFME.exe[1088] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007608a2ba 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2852] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[3056] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007608a2ba 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3980] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007608a2ba 1 byte [62] .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\AlarmClock.exe[4052] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007608a2ba 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3832] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007608a2ba 1 byte [62] .text C:\Program Files (x86)\FreeTime\FormatFactory\FormatFactory.exe[4720] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007608a2ba 1 byte [62] .text C:\Program Files (x86)\FreeTime\FormatFactory\FormatFactory.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076291465 2 bytes [29, 76] .text C:\Program Files (x86)\FreeTime\FormatFactory\FormatFactory.exe[4720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762914bb 2 bytes [29, 76] .text ... * 2 .text C:\Program Files (x86)\FreeTime\FormatFactory\FFModules\Encoder\mencoder.exe[2736] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007608a2ba 1 byte [62] .text C:\Windows\system32\conhost.exe[2504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[5448] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000771beecd 1 byte [62] .text C:\Users\Piotr\Desktop\2rsx32we.exe[6088] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007608a2ba 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff8800110d650] \SystemRoot\System32\Drivers\spon.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800110d5dc] \SystemRoot\System32\Drivers\spon.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010d835c] \SystemRoot\System32\Drivers\spon.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010d8224] \SystemRoot\System32\Drivers\spon.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010d8a24] \SystemRoot\System32\Drivers\spon.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010d8ba0] \SystemRoot\System32\Drivers\spon.sys [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7feeec0741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7feeec05f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7feeec05674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7feeec05e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7feeec07f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7feeec06a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7feeec06ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7feeec07b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7feeec07ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7feeec078b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7feeec04fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7feeec05d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2408] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7feeec07584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80043d12c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80043d12c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80043d12c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80043d12c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80043d12c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80043d12c0 Device \FileSystem\Ntfs \Ntfs fffffa80043d52c0 Device \Driver\USBSTOR \Device\00000088 fffffa80042432c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004c7a2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80047ce2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B45F00DB-64D8-4220-98A4-E24DC554FA17} fffffa8004a2c2c0 Device \Driver\USBSTOR \Device\0000008b fffffa80042432c0 Device \Driver\USBSTOR \Device\00000089 fffffa80042432c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8004c7a2c0 Device \Driver\USBSTOR \Device\0000008c fffffa80042432c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004c7a2c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80043cd2c0 Device \Driver\volmgr \Device\FtControl fffffa80043cd2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80043cd2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80043cd2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80043cd2c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa80043cd2c0 Device \Driver\volmgr \Device\HarddiskVolume5 fffffa80043cd2c0 Device \Driver\volmgr \Device\HarddiskVolume6 fffffa80043cd2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004a2c2c0 Device \Driver\USBSTOR \Device\0000008d fffffa80042432c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80043d12c0 Device \Driver\USBSTOR \Device\00000087 fffffa80042432c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8004c7a2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80043d12c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80043d12c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80043d12c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80043d12c0]<< spon.sys ataport.SYS pciide.sys fffffa80043d12c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80047af060] fffffa80047af060 Trace 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa800452ce40] fffffa800452ce40 Trace 5 ACPI.sys[fffff8800103a7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004538060] fffffa8004538060 Trace \Driver\atapi[0xfffffa8004520060] -> IRP_MJ_CREATE -> 0xfffffa80043d12c0 fffffa80043d12c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [4696:3576] 000007feec859688 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4412:4560] 0000000076fe7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4412:4432] 0000000066877712 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4412:3200] 00000000774b2e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4412:2868] 00000000774b3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4412:4260] 00000000774b3e85 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1708] (GG drive overlay/GG Network S.A.)(2013-06-07 19:34:24) 000000005c080000 Library C:\Users\Piotr\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1708] (GG drive menu/GG Network S.A.)(201 000000005ff80000 Library C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceProcess.resources\v4.0_4.0.0.0_pl_b03f5f7f11d50a3a\System.ServiceProcess.resources.dll (*** suspicious ***) @ C:\Program Files (x86)\Western Digital\WD Smartware\Front Parlor\WDSC.exe [2340] 0000000070b90000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFA 0x23 0x4A 0xB2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFA 0x23 0x4A 0xB2 ... ---- Files - GMER 2.1 ---- File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\Cache\f_012b6a 0 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\Cache\f_012b8d 17696 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\Cache\f_012b8f 0 bytes ---- EOF - GMER 2.1 ----