GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-01 18:57:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD103SJ rev.1AJ10001 931,51GB Running: 2rsx32we.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\awrdrkog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800037aa000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800037aa02f 16 bytes [00, 00, 10, 00, 00, 00, 00, ...] .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff880047d2d8c 12 bytes {MOV RAX, 0xfffffa8004e612a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Windows\system32\lsass.exe[732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[520] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1192] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Windows\Explorer.EXE[1472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1760] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Program Files (x86)\Western Digital\WD Smartware\Front Parlor\WDFME\WDFME.exe[2332] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074a5a2ba 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3344] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe[3544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3784] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe[3928] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074a5a2ba 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3936] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074a5a2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074a5a2ba 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Program Files (x86)\FreeTime\FormatFactory\FormatFactory.exe[3732] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074a5a2ba 1 byte [62] .text C:\Program Files (x86)\FreeTime\FormatFactory\FormatFactory.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075221465 2 bytes [22, 75] .text C:\Program Files (x86)\FreeTime\FormatFactory\FormatFactory.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000752214bb 2 bytes [22, 75] .text ... * 2 .text C:\Program Files (x86)\FreeTime\FormatFactory\FFModules\Encoder\mencoder.exe[2944] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074a5a2ba 1 byte [62] .text C:\Windows\system32\conhost.exe[220] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076bceecd 1 byte [62] .text C:\Users\Piotr\Desktop\2rsx32we.exe[2968] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074a5a2ba 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff8800113a650] \SystemRoot\System32\Drivers\sphx.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800113a5dc] \SystemRoot\System32\Drivers\sphx.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800110535c] \SystemRoot\System32\Drivers\sphx.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001105224] \SystemRoot\System32\Drivers\sphx.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001105a24] \SystemRoot\System32\Drivers\sphx.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001105ba0] \SystemRoot\System32\Drivers\sphx.sys [unknown section] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7feee5b741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7feee5b5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7feee5b5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7feee5b5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7feee5b7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7feee5b6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7feee5b6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7feee5b7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7feee5b7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7feee5b78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7feee5b4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7feee5b5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2532] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7feee5b7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80043d02c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80043d02c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80043d02c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80043d02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80043d02c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80043d02c0 Device \FileSystem\Ntfs \Ntfs fffffa80043d42c0 Device \Driver\USBSTOR \Device\0000008a fffffa80048802c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004e652c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004a002c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B45F00DB-64D8-4220-98A4-E24DC554FA17} fffffa8004ba12c0 Device \Driver\USBSTOR \Device\0000008b fffffa80048802c0 Device \Driver\USBSTOR \Device\00000089 fffffa80048802c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8004e652c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004e652c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80043cc2c0 Device \Driver\volmgr \Device\FtControl fffffa80043cc2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80043cc2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80043cc2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80043cc2c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa80043cc2c0 Device \Driver\volmgr \Device\HarddiskVolume5 fffffa80043cc2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004ba12c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80043d02c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8004e652c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80043d02c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80043d02c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80043d02c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80043d02c0]<< sphx.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80043d02c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80047b2060] fffffa80047b2060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa8004534520] fffffa8004534520 Trace 5 ACPI.sys[fffff880010437a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004537060] fffffa8004537060 Trace \Driver\atapi[0xfffffa800451ecb0] -> IRP_MJ_CREATE -> 0xfffffa80043d02c0 fffffa80043d02c0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1472] (GG drive overlay/GG Network S.A.)(2013-06-07 19:34:24) 000000005c080000 Library C:\Users\Piotr\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1472] (GG drive menu/GG Network S.A.)(201 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFA 0x23 0x4A 0xB2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{B45F00DB-64D8-4220-98A4-E24DC554FA17}@LeaseObtainedTime 1393692057 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{B45F00DB-64D8-4220-98A4-E24DC554FA17}@T1 1393695657 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{B45F00DB-64D8-4220-98A4-E24DC554FA17}@T2 1393698357 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{B45F00DB-64D8-4220-98A4-E24DC554FA17}@LeaseTerminatesTime 1393699257 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFA 0x23 0x4A 0xB2 ... ---- Files - GMER 2.1 ---- File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\194.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\213.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\253.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\2A3.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\2F3.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\343.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\384.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\47F.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\56B.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\667.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\743.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\82F.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\90C.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\98B.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\9CB.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\A1B.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\A5B.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\A9C.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\AFB.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\B6B.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\C76.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\D91.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\E5D.tmp 28134 bytes File C:\Users\Piotr\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\F49.tmp 28134 bytes File C:\ProgramData\AVAST Software\Avast\db1cbe08f8aa0f636-2c0f7b40.dat (size mismatch) 123904/151720 bytes executable ---- EOF - GMER 2.1 ----