GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-10 22:39:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD75 rev.03.0 698,64GB Running: GMER.exe; Driver: C:\Users\Marta\AppData\Local\Temp\fwddikog.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\Dwm.exe[1104] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf28ef0 5 bytes JMP 000007fffcf100b8 .text C:\windows\system32\Dwm.exe[1104] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcf2bfd0 5 bytes JMP 000007fffcf10038 .text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[3344] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076c56440 5 bytes JMP 0000000162424000 .text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[3344] C:\windows\system32\kernel32.dll!LoadLibraryA 0000000076c56530 5 bytes JMP 0000000162423ef4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4852] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076c56440 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcf28ef0 5 bytes JMP 000007fffcf000b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcf2bfd0 5 bytes JMP 000007fffcf00038 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3484] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000759448db 5 bytes JMP 0000000100632710 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3484] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000759448f3 5 bytes JMP 00000001006327f0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3484] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075944925 5 bytes JMP 0000000100632780 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3132] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000759448db 5 bytes JMP 0000000100372710 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3132] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000759448f3 5 bytes JMP 00000001003727f0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[3132] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075944925 5 bytes JMP 0000000100372780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3164] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000759448db 5 bytes JMP 0000000110002710 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3164] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000759448f3 5 bytes JMP 00000001100027f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3164] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075944925 5 bytes JMP 0000000110002780 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3164] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075309d0b 5 bytes JMP 0000000110002850 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\mfevtps.exe[2140] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13fe9c0c0] C:\windows\system32\mfevtps.exe ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2932:2976] 0000000072ec6358 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2932:3084] 000000007286f71d Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2932:3192] 000000007286f71d Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2932:3196] 0000000072865b1a Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2932:3660] 0000000072e70b14 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [1624] (GG drive overlay/GG Network S.A.)(2012-04-01 07:58:36) 000000005c080000 Library C:\ProgramData\GG\ggdrive\ggdrive-proxy.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [1624] (GG drive proxy/GG Network S.A.)(2012-04-01 07:58:36) 00000000590b0000 Library C:\Users\Marta\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [1624] (GG drive menu/GG Network S.A.)(201 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819ec78d5 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819ec78d5@cc52af16f510 0x53 0xC0 0x62 0x4B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819ec78d5@30392671fd80 0xB7 0xCC 0x3F 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819ec78d5@9c3aafae872d 0xBC 0x3D 0xFB 0x91 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\98-fc-11-9c-fa-84@ClientLocalPort 57617 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\98-fc-11-9c-fa-84@TeredoAddress 2001:0:9d38:6ab8:185a:1eee:acec:f0ae Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 438241 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 16206 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters@DhcpNameServer 194.204.152.34 194.204.152.1 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819ec78d5 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819ec78d5@cc52af16f510 0x53 0xC0 0x62 0x4B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819ec78d5@30392671fd80 0xB7 0xCC 0x3F 0x69 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819ec78d5@9c3aafae872d 0xBC 0x3D 0xFB 0x91 ... ---- EOF - GMER 2.1 ----