GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-02 17:28:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BC142 rev.JC4B 465,76GB Running: rztrxo2g.exe; Driver: C:\Users\RODZIN~1.USE\AppData\Local\Temp\aftcaaob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 630 fffff80002fa2066 48 bytes [65, 48, 8B, 1C, 25, 88, 01, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 680 fffff80002fa2098 27 bytes [48, 8B, 8C, 24, E8, 00, 00, ...] .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004559d8c 12 bytes {MOV RAX, 0xfffffa80044d42a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076351465 2 bytes [35, 76] .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[3016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763514bb 2 bytes [35, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010a5650] \SystemRoot\System32\Drivers\spah.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010a55dc] \SystemRoot\System32\Drivers\spah.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800107035c] \SystemRoot\System32\Drivers\spah.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001070224] \SystemRoot\System32\Drivers\spah.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001070a24] \SystemRoot\System32\Drivers\spah.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001070ba0] \SystemRoot\System32\Drivers\spah.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80040e92c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80040e92c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80040e92c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-4 fffffa80040e92c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80040e92c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80040e92c0 Device \Driver\a710um13 \Device\Scsi\a710um131 fffffa8004c302c0 Device \Driver\a710um13 \Device\Scsi\a710um131Port4Path0Target0Lun0 fffffa8004c302c0 Device \FileSystem\Ntfs \Ntfs fffffa80040ed2c0 Device \Driver\usbohci \Device\USBPDO-5 fffffa8004b7a2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8004b7c2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004b7c2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80049b12c0 Device \Driver\cdrom \Device\CdRom1 fffffa80049b12c0 Device \Driver\usbehci \Device\USBPDO-6 fffffa8004b7c2c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa8004b7a2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004b7a2c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa8004b7a2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{5160531D-3C11-45AE-952B-67F1D55C9520} fffffa80044f92c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa8004b7a2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8004b7c2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004b7c2c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80040e52c0 Device \Driver\volmgr \Device\FtControl fffffa80040e52c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80040e52c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80040e52c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80040e52c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80044f92c0 Device \Driver\usbehci \Device\USBFDO-6 fffffa8004b7c2c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa8004b7a2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80040e92c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa8004b7a2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004b7a2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80040e92c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80040e92c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80040e92c0 Device \Driver\a710um13 \Device\ScsiPort4 fffffa8004c302c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80040e92c0]<< spah.sys ataport.SYS amdide64.sys fffffa80040e92c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80044e1060] fffffa80044e1060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa80042639b0] fffffa80042639b0 Trace 5 ACPI.sys[fffff880011ac7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004268060] fffffa8004268060 Trace \Driver\atapi[0xfffffa800424f3a0] -> IRP_MJ_CREATE -> 0xfffffa80040e92c0 fffffa80040e92c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\a710um13.SYS fffff880045ab000-fffff880045f0000 (282624 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1152:1692] 000007fef1680ea8 Thread C:\Windows\system32\svchost.exe [1152:420] 000007fef1679db0 Thread C:\Windows\system32\svchost.exe [1152:4148] 000007fef167aa10 Thread C:\Windows\system32\svchost.exe [1152:4176] 000007fef1681c94 Thread C:\Windows\system32\svchost.exe [1152:5080] 000007feea39d3c8 Thread C:\Windows\system32\svchost.exe [1152:4892] 000007feea39d3c8 Thread C:\Windows\system32\svchost.exe [1152:4288] 000007feea39d3c8 Thread C:\Windows\system32\svchost.exe [1152:4696] 000007feea39d3c8 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1988] (GG drive overlay/GG Network S.A.)(2012-07-28 20:03:20) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCF 0x10 0xCC 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6A 0x43 0x62 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCD 0xD9 0xF5 0xE2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCF 0x10 0xCC 0xE0 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6A 0x43 0x62 0x32 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCD 0xD9 0xF5 0xE2 ... ---- Files - GMER 2.1 ---- File C:\FRST 0 bytes File C:\FRST\Hives 0 bytes File C:\FRST\Hives\BCD 28672 bytes File C:\FRST\Hives\default 344064 bytes File C:\FRST\Hives\ERDNT.CON 800 bytes File C:\FRST\Hives\ERDNT.EXE 163328 bytes executable File C:\FRST\Hives\ERDNT.INF 848 bytes File C:\FRST\Hives\ERDNTDOS.LOC 2815 bytes File C:\FRST\Hives\ERDNTWIN.LOC 3275 bytes File C:\FRST\Hives\sam 102400 bytes File C:\FRST\Hives\security 28672 bytes File C:\FRST\Hives\software 75886592 bytes File C:\FRST\Hives\system 17891328 bytes File C:\FRST\Hives\Users 0 bytes File C:\FRST\Hives\Users\00000001 0 bytes File C:\FRST\Hives\Users\00000001\ntuser.dat 2170880 bytes File C:\FRST\Hives\Users\00000002 0 bytes File C:\FRST\Hives\Users\00000002\UsrClass.dat 3928064 bytes File C:\FRST\Logs 0 bytes File C:\FRST\Quarantine 0 bytes ---- EOF - GMER 2.1 ----