GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-18 12:55:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000059 WDC_WD50 rev.01.0 465,76GB Running: gqeyv4jx.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff8000320a000 45 bytes [00, 00, 16, 02, 4E, 74, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff8000320a02f 29 bytes [00, 01, 00, 06, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[536] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Windows\system32\services.exe[604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[760] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[368] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Windows\Explorer.EXE[1464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Windows\system32\taskhost.exe[1608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1768] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760da2fd 1 byte [62] .text C:\Windows\PLFSetI.exe[2044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760da2fd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1080] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1456] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760da2fd 1 byte [62] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000764f1401 2 bytes JMP 760db21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000764f1419 2 bytes JMP 760db346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000764f1431 2 bytes JMP 76158ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000764f144a 2 bytes CALL 760b48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764f14dd 2 bytes JMP 761587a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764f14f5 2 bytes JMP 76158978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000764f150d 2 bytes JMP 76158698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000764f1525 2 bytes JMP 76158a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000764f153d 2 bytes JMP 760cfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000764f1555 2 bytes JMP 760d68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000764f156d 2 bytes JMP 76158f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000764f1585 2 bytes JMP 76158ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000764f159d 2 bytes JMP 7615865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764f15b5 2 bytes JMP 760cfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764f15cd 2 bytes JMP 760db2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764f16b2 2 bytes JMP 76158e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[1484] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764f16bd 2 bytes JMP 761585f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000760b8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2228] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760da2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2312] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760da2fd 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[2376] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760da2fd 1 byte [62] .text c:\oraclexe\app\oracle\product\11.2.0\server\bin\ORACLE.EXE[2880] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\oraclexe\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[1804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760da2fd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000741217fa 2 bytes CALL 760b11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074121860 2 bytes CALL 760b11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074121942 2 bytes JMP 75c07089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007412194d 2 bytes JMP 75c0cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000764f1401 2 bytes JMP 760db21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000764f1419 2 bytes JMP 760db346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000764f1431 2 bytes JMP 76158ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000764f144a 2 bytes CALL 760b48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764f14dd 2 bytes JMP 761587a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764f14f5 2 bytes JMP 76158978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000764f150d 2 bytes JMP 76158698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000764f1525 2 bytes JMP 76158a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000764f153d 2 bytes JMP 760cfca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000764f1555 2 bytes JMP 760d68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000764f156d 2 bytes JMP 76158f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000764f1585 2 bytes JMP 76158ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000764f159d 2 bytes JMP 7615865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764f15b5 2 bytes JMP 760cfd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764f15cd 2 bytes JMP 760db2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764f16b2 2 bytes JMP 76158e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[480] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764f16bd 2 bytes JMP 761585f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760da2fd 1 byte [62] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000764f1401 2 bytes JMP 760db21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000764f1419 2 bytes JMP 760db346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000764f1431 2 bytes JMP 76158ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000764f144a 2 bytes CALL 760b48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000764f14dd 2 bytes JMP 761587a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000764f14f5 2 bytes JMP 76158978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000764f150d 2 bytes JMP 76158698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000764f1525 2 bytes JMP 76158a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000764f153d 2 bytes JMP 760cfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000764f1555 2 bytes JMP 760d68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000764f156d 2 bytes JMP 76158f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000764f1585 2 bytes JMP 76158ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000764f159d 2 bytes JMP 7615865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000764f15b5 2 bytes JMP 760cfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000764f15cd 2 bytes JMP 760db2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000764f16b2 2 bytes JMP 76158e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2236] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000764f16bd 2 bytes JMP 761585f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[3904] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000778cef8d 1 byte [62] .text C:\Users\user\Downloads\gqeyv4jx.exe[2328] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000760da2fd 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2720] 0000000077cc3e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2752] 0000000077cc2e65 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2836] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2840] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2844] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2848] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2852] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2856] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2988] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2992] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2996] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3000] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3004] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3008] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3012] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3020] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3024] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3032] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3040] 0000000077cc3e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3056] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3060] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:2080] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3316] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3472] 00000000744b29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2512:3476] 00000000744b29e1 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe [4192:4988] 000000006b300dc7 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe [4192:4100] 000000006b3b36af Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe [4192:1308] 0000000077cc2e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe [4192:4756] 000000006b39ff4d Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe [4192:4412] 000000006b3b36af Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe [4192:1416] 000000006b3b36af Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe [4192:4036] 0000000077cc3e85 Thread C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\ide\mspdbsrv.exe [4848:1884] 0000000077cc2e65 Thread C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\ide\mspdbsrv.exe [4848:4832] 0000000077cc3e85 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1464] (GG drive overlay/GG Network S.A.)(2014-04-11 18:43:53) 000000005c080000 Library C:\Users\user\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1464] (GG drive menu/GG Network S.A.)(2014- 000000005ff80000 ---- EOF - GMER 2.1 ----