GMER 2.1.19355 - http://www.gmer.net Rootkit scan 2014-01-26 12:10:42 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\00000070 ST350041 rev.CC38 465,76GB Running: gmer.exe; Driver: C:\Users\FastMan\AppData\Local\Temp\awdiipow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004438d8c 12 bytes {MOV RAX, 0xfffffa8004fd62a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1676] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075168769 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1676] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075141465 2 bytes [14, 75] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1676] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000751414bb 2 bytes [14, 75] .text ... * 2 .text C:\Users\FastMan\AppData\Roaming\Dropbox\bin\Dropbox.exe[2080] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075141465 2 bytes [14, 75] .text C:\Users\FastMan\AppData\Roaming\Dropbox\bin\Dropbox.exe[2080] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000751414bb 2 bytes [14, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2552] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072241a22 2 bytes [24, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2552] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072241ad0 2 bytes [24, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2552] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072241b08 2 bytes [24, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2552] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072241bba 2 bytes [24, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2552] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072241bda 2 bytes [24, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075141465 2 bytes [14, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751414bb 2 bytes [14, 75] .text ... * 2 .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075161072 5 bytes JMP 0000000108889904 .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000075163475 5 bytes JMP 00000001088891ae .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!GetDC 0000000074a572c4 5 bytes JMP 00000001088889e9 .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!ReleaseDC 0000000074a57446 5 bytes JMP 0000000108888a91 .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074a58a29 5 bytes JMP 000000010888955c .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000074a58e4e 5 bytes JMP 00000001088893e8 .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!IsWindowVisible 0000000074a6112d 7 bytes JMP 000000010888962e .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!GetCursorPos 0000000074a61218 5 bytes JMP 0000000108888ede .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000074a61361 5 bytes JMP 000000010888894d .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!InvalidateRect 0000000074a61381 5 bytes JMP 0000000108888cbf .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!RedrawWindow 0000000074a6140b 5 bytes JMP 0000000108889043 .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!SetFocus 0000000074a62175 5 bytes JMP 0000000108888c0e .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!RegisterClassA 0000000074a6434b 5 bytes JMP 00000001088890fd .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!InvalidateRgn 0000000074a66604 5 bytes JMP 0000000108888d76 .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!TrackPopupMenu 0000000074a7c288 5 bytes JMP 0000000108889841 .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074a7cfca 5 bytes JMP 000000010888926e .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!WindowFromPoint 0000000074a7ed12 5 bytes JMP 0000000108888f8f .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!SetCapture 0000000074a7ed56 5 bytes JMP 0000000108888e2d .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000074a7f170 5 bytes JMP 00000001088894ab .text C:\Program Files (x86)\Xfire\xfire.exe[3144] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 0000000074a810dc 5 bytes JMP 000000010888932b .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075141465 2 bytes [14, 75] .text C:\Program Files (x86)\Browny02\BrYNSvc.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751414bb 2 bytes [14, 75] .text ... * 2 .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[4924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075141465 2 bytes [14, 75] .text C:\Program Files (x86)\Windows Live\Mail\wlmail.exe[4924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000751414bb 2 bytes [14, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4924] entry point in ".rdata" section 0000000069c071e6 .text D:\Programy\Wirusy-antyprogramy\OTL.exe[5840] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075141465 2 bytes [14, 75] .text D:\Programy\Wirusy-antyprogramy\OTL.exe[5840] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000751414bb 2 bytes [14, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010905b0] \SystemRoot\System32\Drivers\spnu.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800109053c] \SystemRoot\System32\Drivers\spnu.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800105535c] \SystemRoot\System32\Drivers\spnu.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001055224] \SystemRoot\System32\Drivers\spnu.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001055a24] \SystemRoot\System32\Drivers\spnu.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001055ba0] \SystemRoot\System32\Drivers\spnu.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003cbf2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003cbf2c0 Device \Driver\atx5h263 \Device\Scsi\atx5h2631Port4Path0Target0Lun0 fffffa80050492c0 Device \Driver\atx5h263 \Device\Scsi\atx5h2631 fffffa80050492c0 Device \FileSystem\Ntfs \Ntfs fffffa8003cc52c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80050002c0 Device \Driver\nvstor \Device\00000070 fffffa8003cc12c0 Device \Driver\nvstor \Device\RaidPort0 fffffa8003cc12c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004da12c0 Device \Driver\nvstor \Device\RaidPort1 fffffa8003cc12c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004da12c0 Device \Driver\cdrom \Device\CdRom2 fffffa8004da12c0 Device \Driver\nvstor \Device\0000006f fffffa8003cc12c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004ff62c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80050002c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa8003cbb2c0 Device \Driver\volmgr \Device\FtControl fffffa8003cbb2c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa8003cbb2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa8003cbb2c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa8003cbb2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{071604E4-BC9E-4E96-BD6B-E0A86FF23E58} fffffa8004dae2c0 Device \Driver\nvstor \Device\0000006d fffffa8003cc12c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004dae2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003cbf2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004ff62c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003cbf2c0 Device \Driver\nvstor \Device\ScsiPort2 fffffa8003cc12c0 Device \Driver\nvstor \Device\ScsiPort3 fffffa8003cc12c0 Device \Driver\atx5h263 \Device\ScsiPort4 fffffa80050492c0 Device \Driver\nvstor \Device\0000006e fffffa8003cc12c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003cc12c0]<< spnu.sys storport.sys hal.dll nvstor.sys fffffa8003cc12c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004ca1060] fffffa8004ca1060 Trace 3 CLASSPNP.SYS[fffff88001b7243f] -> nt!IofCallDriver -> [0xfffffa8004b41e40] fffffa8004b41e40 Trace 5 ACPI.sys[fffff8800119e7a1] -> nt!IofCallDriver -> \Device\00000070[0xfffffa8004b3d9c0] fffffa8004b3d9c0 Trace \Driver\nvstor[0xfffffa8004b13cd0] -> IRP_MJ_CREATE -> 0xfffffa8003cc12c0 fffffa8003cc12c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\atx5h263.SYS fffff8800478d000-fffff880047cf000 (270336 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [4732:4748] 0000000077262e65 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [4732:4752] 0000000077263e85 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [4732:2280] 0000000077263e85 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [4732:3424] 0000000069868f48 Thread C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe [4732:3172] 0000000077263e85 ---- Processes - GMER 2.1 ---- Library C:\Users\FastMan\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1692] 000007fef9240000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1692] 000000005c080000 Library C:\Users\FastMan\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1692] 000000005ff80000 Process C:\Users\FastMan\AppData\Roaming\Dropbox\bin\Dropbox.exe (*** suspicious ***) @ C:\Users\FastMan\AppData\Roaming\Dropbox\bin\Dropbox.exe [2080] 0000000000400000 Library C:\Users\FastMan\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\FastMan\AppData\Roaming\Dropbox\bin\Dropbox.exe [2080](2014-01-03 00:45:04) 0000000003f30000 Library C:\Users\FastMan\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\FastMan\AppData\Roaming\Dropbox\bin\Dropbox.exe [2080](2013-10-18 23:55:02) 000000006ebd0000 Library C:\Users\FastMan\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\FastMan\AppData\Roaming\Dropbox\bin\Dropbox.exe [2080] 000000006d8f0000 Process C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (*** suspicious ***) @ C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2744] 00000000011b0000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{74B0FC48-A52F-4346-BBF7-2840E8C9FE7B}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3204] (Microsoft Malware Protection Engine/Microsoft Corporation SIGNED)(2014-01-25 06:21:21) 000007fee08f0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE1 0xED 0x21 0x9D ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xDD 0x73 0x62 0x17 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8D 0x7A 0xBC 0xD3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x1D 0x3C 0x52 0x86 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xDD 0x73 0x62 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7F 0xA0 0xC1 0x37 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x1D 0x3C 0x52 0x86 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xDD 0x73 0x62 0x17 ... Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7F 0xA0 0xC1 0x37 ... ---- EOF - GMER 2.1 ----