GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-02 16:35:15 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\00000039 ________ rev.541A 223,57GB Running: fjys1m2t.exe; Driver: C:\Users\Agata\AppData\Local\Temp\fwtdapow.sys ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [760:784] fffff960009912d0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1868] (GG drive overlay/GG Network S.A.)(2014-06-25 07:05:00) 000000005c080000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\explorer.exe [1144] (GG drive overlay/GG Network S.A.)(2014-06-25 07:05:00) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x61 0x18 0x52 0xF1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x61 0x18 0x52 0xF1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x12 0x63 0x7E 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x12 0x63 0x7E 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 157 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\GSM4B2155111_05_07D7_3D^88FFB938F6CFBE78E13491C82DF1D5AB@Timestamp 0xEE 0x55 0xD9 0xF1 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 872 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{AE24C082-4C7D-4E5F-B778-4E4D4679E9AC}\Connection@Name Reusable ISATAP Interface {AE24C082-4C7D-4E5F-B778-4E4D4679E9AC} Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900137 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1286102920 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 159 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 436524765 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 12318 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 11498 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 66dfe76c-1a1d-4890-9fb6-4ed865c Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 9 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{46c33c88-f876-419a-8e62-4d9049d66902}@LastProbeTime 1425312172 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{AE24C082-4C7D-4E5F-B778-4E4D4679E9AC}@InterfaceName Reusable ISATAP Interface {AE24C082-4C7D-4E5F-B778-4E4D4679E9AC} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{AE24C082-4C7D-4E5F-B778-4E4D4679E9AC}@ReusableType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\d8-5d-4c-f5-8d-19@AddressCreationTimestamp 0x9F 0x0C 0x05 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5139 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1241 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-200|Desc=@%systemroot%\system32\provsvc.dll,-201|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|RPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-203|Desc=@%systemroot%\system32\provsvc.dll,-204|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|LPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-205|Desc=@%systemroot%\system32\provsvc.dll,-206|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 158 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F1A0719F-161A-42CE-BD0D-53381EF9DFEF}@LeaseObtainedTime 1425308569 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F1A0719F-161A-42CE-BD0D-53381EF9DFEF}@T1 1425438169 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F1A0719F-161A-42CE-BD0D-53381EF9DFEF}@T2 1425535369 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F1A0719F-161A-42CE-BD0D-53381EF9DFEF}@LeaseTerminatesTime 1425567769 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 155 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 9034 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 25 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x86 0xB6 0x87 0x16 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x86 0xB6 0x87 0x16 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x86 0xB6 0x87 0x16 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 12873 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 25 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x86 0xB6 0x87 0x16 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x59 0xDD 0xBB 0x14 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63560905429877%3bID%3d34C7DA70BD080149!106%3bLR%3d63560905426160%3bEP%3d4%3bTD%3dTrue%3bSO%3d0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x2D 0x87 0x6F 0x0B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 7 Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@LastRateLimitedDumpGenerationTime 0xD1 0xEC 0x1C 0x3E ... Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\Users\Agata\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_Data Reconnect_9f56ad13199ae1dbaa153e4f8f9fd1de90c3efef_00000000_cab_16b4af9f ---- EOF - GMER 2.1 ----