GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-12 20:14:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST320LM0 rev.2AJ1 298,09GB Running: ibghrxzm.exe; Driver: C:\Users\Kasia\AppData\Local\Temp\fwddykob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\System32\win32k.sys!W32pServiceTable fffff96000114c00 7 bytes [00, 93, F3, FF, 41, A4, F0] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000114c08 3 bytes [00, 07, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075921401 2 bytes JMP 76b3b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075921419 2 bytes JMP 76b3b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075921431 2 bytes JMP 76bb8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007592144a 2 bytes CALL 76b148ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759214dd 2 bytes JMP 76bb87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759214f5 2 bytes JMP 76bb8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007592150d 2 bytes JMP 76bb8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075921525 2 bytes JMP 76bb8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007592153d 2 bytes JMP 76b2fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075921555 2 bytes JMP 76b368ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007592156d 2 bytes JMP 76bb8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075921585 2 bytes JMP 76bb8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007592159d 2 bytes JMP 76bb865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759215b5 2 bytes JMP 76b2fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759215cd 2 bytes JMP 76b3b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759216b2 2 bytes JMP 76bb8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe[2108] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759216bd 2 bytes JMP 76bb85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[5300] C:\windows\syswow64\USER32.dll!GetMenu + 412 0000000076fa51dd 7 bytes JMP 000000011003ac50 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[5300] C:\windows\syswow64\USER32.dll!PeekMessageA + 407 0000000076fa610b 7 bytes JMP 000000011003b000 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[5300] C:\windows\syswow64\USER32.dll!CreateDialogIndirectParamW + 131 0000000076fac6c1 7 bytes JMP 000000011003abc0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[5300] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA + 199 0000000076fefc98 7 bytes JMP 000000011003af50 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[5300] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW + 52 0000000076fefcd1 7 bytes JMP 000000011003adf0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[5300] C:\windows\syswow64\USER32.dll!MessageBoxExA + 31 0000000076fefcf5 7 bytes JMP 000000011003af00 .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076b18791 5 bytes JMP 0000000174e1c6d0 .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075921401 2 bytes JMP 76b3b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075921419 2 bytes JMP 76b3b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075921431 2 bytes JMP 76bb8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007592144a 2 bytes CALL 76b148ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759214dd 2 bytes JMP 76bb87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759214f5 2 bytes JMP 76bb8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007592150d 2 bytes JMP 76bb8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075921525 2 bytes JMP 76bb8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007592153d 2 bytes JMP 76b2fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075921555 2 bytes JMP 76b368ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007592156d 2 bytes JMP 76bb8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075921585 2 bytes JMP 76bb8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007592159d 2 bytes JMP 76bb865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759215b5 2 bytes JMP 76b2fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759215cd 2 bytes JMP 76b3b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759216b2 2 bytes JMP 76bb8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Elex-tech\YAC\iSafe.exe[5812] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759216bd 2 bytes JMP 76bb85f1 C:\windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\windows\System32\svchost.exe [1128:4972] 000007fef88e44e0 Thread C:\windows\System32\svchost.exe [1128:4764] 000007fef8de89b8 Thread C:\windows\System32\svchost.exe [1128:1388] 000007fef29b3efc Thread C:\windows\System32\svchost.exe [1128:5112] 000007fef29f8a4c Thread C:\windows\system32\svchost.exe [1356:4208] 000007fefb705c24 Thread C:\windows\system32\svchost.exe [1356:4292] 000007fef7fc0ea8 Thread C:\windows\system32\svchost.exe [1356:4328] 000007fef7fb9db0 Thread C:\windows\system32\svchost.exe [1356:4364] 000007fef7fbaa10 Thread C:\windows\system32\svchost.exe [1356:4392] 000007fef7fc1c94 Thread C:\windows\system32\svchost.exe [1356:4816] 000007fefb70eff0 Thread C:\windows\system32\svchost.exe [1356:4456] 000007fef48a4f84 Thread C:\windows\system32\svchost.exe [1356:2688] 000007fef37d034c Thread C:\windows\system32\svchost.exe [1356:2764] 000007fef37cfb90 Thread C:\windows\system32\svchost.exe [1356:5860] 000007fef2d2d3c8 Thread C:\windows\system32\svchost.exe [1356:4664] 000007fef2d2d3c8 Thread C:\windows\system32\svchost.exe [1356:6032] 000007fef2d2d3c8 Thread C:\windows\system32\svchost.exe [1356:5168] 000007fef2d2d3c8 Thread C:\windows\system32\svchost.exe [1652:2208] 000007fef94535c0 Thread C:\windows\system32\svchost.exe [1652:2212] 000007fef9455600 Thread C:\windows\system32\svchost.exe [1652:4172] 000007fefb9e2940 Thread C:\windows\system32\svchost.exe [1652:4192] 000007fefb9c2888 Thread C:\windows\system32\svchost.exe [1652:2508] 000007fefb9c2a40 Thread C:\windows\System32\spoolsv.exe [1968:4636] 000007fef59210c8 Thread C:\windows\System32\spoolsv.exe [1968:4908] 000007fef4426144 Thread C:\windows\System32\spoolsv.exe [1968:4924] 000007fef8745fd0 Thread C:\windows\System32\spoolsv.exe [1968:4928] 000007fef8733438 Thread C:\windows\System32\spoolsv.exe [1968:4932] 000007fef87463ec Thread C:\windows\System32\spoolsv.exe [1968:5064] 000007fefb9b5e5c Thread C:\windows\System32\spoolsv.exe [1968:5068] 000007fefb825074 Thread C:\windows\System32\spoolsv.exe [1968:1524] 000007fef5988760 Thread C:\windows\system32\svchost.exe [3196:4464] 000007fef8745fd0 Thread C:\windows\system32\svchost.exe [3196:4280] 000007fef87463ec Thread C:\windows\system32\svchost.exe [3196:5528] 000007fefa0f5124 ---- Processes - GMER 2.1 ---- Library C:\Users\Kasia\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [3132] (GG drive menu/GG Network S.A.)(201 000000005ff80000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----