GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-18 13:25:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD103SJ rev.1AJ10001 931,51GB Running: zbz0de5n.exe; Driver: C:\Users\oem\AppData\Local\Temp\uxriqpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033fb000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033fb02f 16 bytes [00, 60, D0, 7C, 04, 80, FA, ...] .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff8800ffccd8c 12 bytes {MOV RAX, 0xfffffa8004f7e2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1844] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076e08791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1844] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076881465 2 bytes [88, 76] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1844] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000768814bb 2 bytes [88, 76] .text ... * 2 .text D:\Pobierane\OTL.exe[1348] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076881465 2 bytes [88, 76] .text D:\Pobierane\OTL.exe[1348] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000768814bb 2 bytes [88, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010e8650] \SystemRoot\System32\Drivers\spky.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010e85dc] \SystemRoot\System32\Drivers\spky.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b335c] \SystemRoot\System32\Drivers\spky.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b3224] \SystemRoot\System32\Drivers\spky.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b3a24] \SystemRoot\System32\Drivers\spky.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b3ba0] \SystemRoot\System32\Drivers\spky.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80043df2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80043df2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80043df2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80043df2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80043df2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80043df2c0 Device \Driver\avt9clai \Device\Scsi\avt9clai1 fffffa8004fe92c0 Device \Driver\avt9clai \Device\Scsi\avt9clai1Port4Path0Target0Lun0 fffffa8004fe92c0 Device \FileSystem\Ntfs \Ntfs fffffa80043e52c0 Device \Driver\USBSTOR \Device\00000078 fffffa8005bce2c0 Device \Driver\USBSTOR \Device\00000074 fffffa8005bce2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004f792c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004a3a2c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004a3a2c0 Device \Driver\USBSTOR \Device\00000075 fffffa8005bce2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8004f792c0 Device \Driver\USBSTOR \Device\00000076 fffffa8005bce2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004f792c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa800368e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6A0DE6AD-D521-440C-A8E1-FDC0EA1E9372} fffffa8004bbd2c0 Device \Driver\volmgr \Device\FtControl fffffa800368e2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa800368e2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa800368e2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa800368e2c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa800368e2c0 Device \Driver\volmgr \Device\HarddiskVolume5 fffffa800368e2c0 Device \Driver\volmgr \Device\HarddiskVolume6 fffffa800368e2c0 Device \Driver\volmgr \Device\HarddiskVolume7 fffffa800368e2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004bbd2c0 Device \Driver\volmgr \Device\HarddiskVolume8 fffffa800368e2c0 Device \Driver\USBSTOR \Device\00000077 fffffa8005bce2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80043df2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8004f792c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80043df2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80043df2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80043df2c0 Device \Driver\avt9clai \Device\ScsiPort4 fffffa8004fe92c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80043df2c0]<< spky.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80043df2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004826060] fffffa8004826060 Trace 3 CLASSPNP.SYS[fffff88001bba43f] -> nt!IofCallDriver -> [0xfffffa80045771e0] fffffa80045771e0 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004597060] fffffa8004597060 Trace \Driver\atapi[0xfffffa800453e9a0] -> IRP_MJ_CREATE -> 0xfffffa80043df2c0 fffffa80043df2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\avt9clai.SYS fffff88002fb7000-fffff88002ffc000 (282624 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3688:4196] 0000000076c27587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3688:4208] 000000006d517712 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3688:4216] 0000000077852e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3688:1556] 0000000077853e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3688:1640] 0000000077853e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3688:1104] 0000000077853e85 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1720] (GG drive overlay/GG Network S.A.)(2012-10-19 13:02:47) 000000005c080000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Program Files\ESET\ESET Smart Security\egui.exe [2616] (GG drive overlay/GG Network S.A.)(2012-10-19 13:02:47) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB7 0xFC 0x2B 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x3C 0x28 0x7C 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCA 0x9A 0x0F 0x9D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB7 0xFC 0x2B 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x3C 0x28 0x7C 0xE0 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCA 0x9A 0x0F 0x9D ... ---- EOF - GMER 2.1 ----