GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-12 21:34:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKX-00ERMA0 rev.15.01H15 465,76GB Running: g0wh20q7.exe; Driver: C:\Users\HolloW\AppData\Local\Temp\pwtoypog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031f0000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031f002f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\C2MP\TrayMenu.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000776b1465 2 bytes [6B, 77] .text C:\Windows\SysWOW64\C2MP\TrayMenu.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000776b14bb 2 bytes [6B, 77] .text ... * 2 .text C:\Windows\system32\SearchProtocolHost.exe[6096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077551650 5 bytes JMP 00000000776b0018 .text C:\Windows\system32\wuauclt.exe[3592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077551650 5 bytes JMP 00000000776b0018 .text C:\Users\HolloW\Downloads\g0wh20q7.exe[3308] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000776ffe14 5 bytes JMP 0000000174411000 ---- Processes - GMER 2.1 ---- Library C:\Users\HolloW\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2236] (GG drive menu/GG Network S.A.)(2 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\HolloW\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1 ---- Files - GMER 2.1 ---- File C:\Users\HolloW\AppData\Local\Mozilla\Firefox\Profiles\zd8z3r72.default\cache2\entries\68CBB3D4FF01583F929527ECCB03005339DD0E86 0 bytes File C:\Users\HolloW\AppData\Local\Mozilla\Firefox\Profiles\zd8z3r72.default\cache2\entries\ACE86E0A5714064AA7EA567A64392717190BD3C4 0 bytes File C:\Users\HolloW\AppData\Local\Mozilla\Firefox\Profiles\zd8z3r72.default\cache2\entries\2FCBE12F2DFFF97E4550C3C13015E571D2F5D4AC 0 bytes File C:\Users\HolloW\AppData\Local\Mozilla\Firefox\Profiles\zd8z3r72.default\cache2\entries\5DD7AB04883268D7A6594EA26BF1E59F05802C64 0 bytes File C:\Users\HolloW\AppData\Local\Mozilla\Firefox\Profiles\zd8z3r72.default\cache2\entries\E471475CF6364B46F5684CF3EDC5E2EC53DDCD3B 0 bytes File C:\Users\HolloW\AppData\Local\Mozilla\Firefox\Profiles\zd8z3r72.default\cache2\entries\080C80AC29DAEA3C55E35A5D0217EAED8B6D4E3E 3649 bytes ---- EOF - GMER 2.1 ----