GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-13 18:21:51 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-9YN162 rev.CC4C 931,51GB Running: eyut64vb.exe; Driver: C:\Users\MARCIN~1\AppData\Local\Temp\awlirpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003607000 52 bytes [FF, FF, FF, FF, FF, FF, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 582 fffff80003607036 27 bytes [FF, FF, FF, FF, FF, FF, FF, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1748] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076168791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5116] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076168791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076001401 2 bytes JMP 7618b21b C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076001419 2 bytes JMP 7618b346 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076001431 2 bytes JMP 76208ea9 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007600144a 2 bytes CALL 761648ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000760014dd 2 bytes JMP 762087a2 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000760014f5 2 bytes JMP 76208978 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007600150d 2 bytes JMP 76208698 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076001525 2 bytes JMP 76208a62 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007600153d 2 bytes JMP 7617fca8 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076001555 2 bytes JMP 761868ef C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007600156d 2 bytes JMP 76208f61 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076001585 2 bytes JMP 76208ac2 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007600159d 2 bytes JMP 7620865c C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000760015b5 2 bytes JMP 7617fd41 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000760015cd 2 bytes JMP 7618b2dc C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000760016b2 2 bytes JMP 76208e24 C:\Windows\syswow64\kernel32.dll .text D:\gry\steam\Steam.exe[5372] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000760016bd 2 bytes JMP 762085f1 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef7f4741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef7f45f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef7f45674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef7f45e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef7f47f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef7f46a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef7f46ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef7f47b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef7f47ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef7f478b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef7f44fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef7f45d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1524] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef7f47584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [3692] (GG drive overlay/GG Network S.A.)(2012-05-16 15:33:26) 000000005c080000 Library C:\Users\Marcin_GW\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [3692] (GG drive menu/GG Network S.A.)(2012-05-16 15:32:43) 000000005ff80000 ---- Files - GMER 2.1 ---- File C:\Users\Marcin_GW\AppData\Local\Mozilla\Firefox\Profiles\5vvnts7o.default\cache2\entries\B64B81A5C6F969E61F941455DD49968E590F73DB 0 bytes File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Program Files 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Program Files\AVAST Software 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Program Files\AVAST Software\Avast 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Program Files\AVAST Software\Avast\sfzone 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\3F1A.tmp 1716 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Network Action Predictor 3072 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Archived History 53248 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Bookmarks 779 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Bookmarks.bak 779 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Cache 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Cache\data_0 45056 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Cache\data_1 270336 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Cache\data_2 1056768 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Cache\data_3 8192 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Cache\index 524656 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Cookies 7168 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Current Session 3085 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Current Tabs 8 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Favicons 16384 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\History 86016 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\History Provider Cache 11 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\History-journal 8720 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\JumpListIcons 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\JumpListIconsOld 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Last Tabs 8 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Preferences 25048 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Shortcuts 12288 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Top Sites 20480 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\User StyleSheets 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\User StyleSheets\Custom.css 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Visited Links 131072 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Web Data 75776 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Default\Web Data-journal 4624 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Local State 1920 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\PepperFlash 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Safe Browsing Bloom 2723404 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Safe Browsing Bloom Filter 2 833028 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Safe Browsing Csd Whitelist 134356 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Safe Browsing Download 1439576 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Chromium\User Data\Safe Browsing Download Whitelist 16600 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Local\Temp 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Roaming\Microsoft 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Roaming\Microsoft\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Roaming\Microsoft\Windows\Recent 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Users\Marcin_GW\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3373c9ebc3a5e445.customDestinations-ms 6112 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Windows 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Windows\Prefetch 0 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Windows\Prefetch\CTFMON.EXE-79423C0A.pf 24522 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\C\Windows\Prefetch\SAFEZONEBROWSER.EXE-74FF4DA2.pf 104992 bytes File C:\avast! sandbox\S-1-5-21-2390189086-3348412821-3457465990-1000\sfzone\snx_fs.dat 13198 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 33792 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{cf84e77d-c1de-11e1-9b6b-ad5f3213df5b}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{cf84e77d-c1de-11e1-9b6b-ad5f3213df5b}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{cf84e77d-c1de-11e1-9b6b-ad5f3213df5b}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.1 ----