GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-08 20:00:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0004 298,09GB Running: 0zv11n5c.exe; Driver: C:\Users\Madzia\AppData\Local\Temp\pwdiapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003dc1000 45 bytes [01, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80003dc102f 16 bytes [00, 01, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075e91401 2 bytes JMP 000000010679a47b .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075e91419 2 bytes JMP 000000010679a493 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075e91431 2 bytes JMP 000000010679a4ab .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000075e9144a 2 bytes JMP 0000000075f5fcc4 .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000075e914dd 2 bytes JMP 000000010679a557 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000075e914f5 2 bytes JMP 000000010679a56f .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000075e9150d 2 bytes JMP 000000010679a587 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075e91525 2 bytes JMP 000000010679a59f .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000075e9153d 2 bytes JMP 000000010679a5b7 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075e91555 2 bytes JMP 000000010679a5cf .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000075e9156d 2 bytes JMP 000000010679a5e7 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075e91585 2 bytes JMP 000000010679a5ff .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000075e9159d 2 bytes JMP 000000010679a617 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000075e915b5 2 bytes JMP 000000010679a62f .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000075e915cd 2 bytes JMP 000000015c37ce47 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000075e916b2 2 bytes JMP 000000010679a72c .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1828] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000075e916bd 2 bytes JMP 000000010679a737 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e91401 2 bytes JMP 000000010679a47b .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e91419 2 bytes JMP 000000010679a493 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e91431 2 bytes JMP 000000010679a4ab .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e9144a 2 bytes JMP 0000000075f5fcc4 .text ... * 9 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e914dd 2 bytes JMP 000000010679a557 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e914f5 2 bytes JMP 000000010679a56f .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e9150d 2 bytes JMP 000000010679a587 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e91525 2 bytes JMP 000000010679a59f .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e9153d 2 bytes JMP 000000010679a5b7 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e91555 2 bytes JMP 000000010679a5cf .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e9156d 2 bytes JMP 000000010679a5e7 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e91585 2 bytes JMP 000000010679a5ff .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e9159d 2 bytes JMP 000000010679a617 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e915b5 2 bytes JMP 000000010679a62f .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e915cd 2 bytes JMP 000000015c37ce47 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e916b2 2 bytes JMP 000000010679a72c .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe[2008] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e916bd 2 bytes JMP 000000010679a737 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e91401 2 bytes JMP 000000010679a47b .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e91419 2 bytes JMP 000000010679a493 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e91431 2 bytes JMP 000000010679a4ab .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e9144a 2 bytes JMP 0000000075f5fcc4 .text ... * 9 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e914dd 2 bytes JMP 000000010679a557 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e914f5 2 bytes JMP 000000010679a56f .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e9150d 2 bytes JMP 000000010679a587 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e91525 2 bytes JMP 000000010679a59f .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e9153d 2 bytes JMP 000000010679a5b7 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e91555 2 bytes JMP 000000010679a5cf .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e9156d 2 bytes JMP 000000010679a5e7 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e91585 2 bytes JMP 000000010679a5ff .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e9159d 2 bytes JMP 000000010679a617 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e915b5 2 bytes JMP 000000010679a62f .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e915cd 2 bytes JMP 000000015c37ce47 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e916b2 2 bytes JMP 000000010679a72c .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[1108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e916bd 2 bytes JMP 000000010679a737 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [612:3708] 000007feeaf89688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [888:2512] 000007fefc092a7c ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2096] (GG drive overlay/GG Network S.A.)(2012-04-11 17:48:50) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0024337515e6 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00243388de53 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00264370ad09 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00264370ad09@60d0a9564a5a 0x3A 0xE2 0x46 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00264370ad09@001a6bee8b96 0x8E 0x7B 0x7F 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00264370ad09@002567d495cf 0x84 0xCA 0xE4 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00264370ad09@945103fb917c 0x8C 0x91 0x2C 0xE7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00264370ad09@58c38be58201 0x74 0xA8 0x19 0xBC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00264370ad09@78471d495d8c 0x41 0xFC 0x81 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00264370ad09@30392645ef84 0x67 0x84 0x31 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00264370ad09@4c809302b0f1 0x36 0xB7 0xE5 0x7D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00264370ad09@e440e218b195 0x19 0xAC 0x06 0xF3 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0024337515e6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00243388de53 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00264370ad09 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00264370ad09@60d0a9564a5a 0x3A 0xE2 0x46 0xFB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00264370ad09@001a6bee8b96 0x8E 0x7B 0x7F 0x58 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00264370ad09@002567d495cf 0x84 0xCA 0xE4 0xF4 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00264370ad09@945103fb917c 0x8C 0x91 0x2C 0xE7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00264370ad09@58c38be58201 0x74 0xA8 0x19 0xBC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00264370ad09@78471d495d8c 0x41 0xFC 0x81 0x56 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00264370ad09@30392645ef84 0x67 0x84 0x31 0xDE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00264370ad09@4c809302b0f1 0x36 0xB7 0xE5 0x7D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00264370ad09@e440e218b195 0x19 0xAC 0x06 0xF3 ... ---- EOF - GMER 2.1 ----