GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-05 11:42:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.SBDO 111,79GB Running: sqkhng0f.exe; Driver: C:\Users\WT\AppData\Local\Temp\pxldipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075708781 4 bytes [C2, 04, 00, 00] .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000764e1401 2 bytes JMP 7572b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000764e1419 2 bytes JMP 7572b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000764e1431 2 bytes JMP 757a8f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000764e144a 2 bytes CALL 7570489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000764e14dd 2 bytes JMP 757a8822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000764e14f5 2 bytes JMP 757a89f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000764e150d 2 bytes JMP 757a8718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000764e1525 2 bytes JMP 757a8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000764e153d 2 bytes JMP 7571fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000764e1555 2 bytes JMP 757268ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000764e156d 2 bytes JMP 757a8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000764e1585 2 bytes JMP 757a8b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000764e159d 2 bytes JMP 757a86dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000764e15b5 2 bytes JMP 7571fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000764e15cd 2 bytes JMP 7572b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000764e16b2 2 bytes JMP 757a8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\ntdll.dll[1848] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000764e16bd 2 bytes JMP 757a8671 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[504] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefb4b2840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[504] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefb4b2720] c:\windows\system32\uxtuneup.dll ---- Threads - GMER 2.1 ---- Thread [940:968] 00000000778ba7b0 Thread [940:972] 000007fefde4a808 Thread [940:976] 00000000778bf480 Thread [940:2096] 000007fefc304af4 Thread [940:4896] 00000000778bf480 Thread [940:1584] 00000000778bf480 Thread [940:1488] 00000000778bf480 Thread [940:4656] 00000000778bf480 Thread C:\Windows\System32\svchost.exe [988:1040] 000007fefb9ff2c0 Thread C:\Windows\System32\svchost.exe [988:1056] 000007fefb976204 Thread C:\Windows\System32\svchost.exe [988:1336] 000007fefadf2070 Thread C:\Windows\System32\svchost.exe [988:1344] 000007fefac95428 Thread C:\Windows\System32\svchost.exe [988:1476] 000007fef92e6b8c Thread C:\Windows\System32\svchost.exe [988:4828] 000007fef92e1d88 Thread C:\Windows\System32\svchost.exe [356:1212] 000007fefb04331c Thread C:\Windows\System32\svchost.exe [356:1232] 000007fefb02a2b0 Thread C:\Windows\System32\svchost.exe [356:1392] 000007fefa8859a0 Thread C:\Windows\System32\svchost.exe [356:4196] 000007fefbd844e0 Thread C:\Windows\System32\svchost.exe [356:3892] 000007fef009ffc0 Thread C:\Windows\System32\svchost.exe [356:3668] 000007fefbd9d710 Thread [1116:1136] 00000000778ba7b0 Thread [1116:1168] 00000000778bf480 Thread [1116:4072] 000007fef85b0ea8 Thread [1116:1556] 000007fef85a9db0 Thread [1116:3980] 000007fef85aaa10 Thread [1116:4092] 000007fef85b1c94 Thread [1116:4616] 000007fefde4a808 Thread [1116:672] 000007feebf75c24 Thread [1116:1412] 000007feebf7eff0 Thread [1116:1820] 000007fef9334f84 Thread [1116:2952] 000007fefde4a808 Thread [1116:4924] 00000000778bf480 Thread [1116:2680] 000007fef10e6ed4 Thread [1116:5020] 000007fef10e6b8c Thread [1116:5016] 00000000778bf480 Thread [1116:1716] 00000000778bf480 Thread [1116:4936] 00000000778bf480 Thread [1248:1276] 00000000778ba7b0 Thread [1248:1284] 000007fefae0bfac Thread [1248:760] 00000000778bf480 Thread [1308:1316] 00000000778ba7b0 Thread [1308:1324] 00000000778bf480 Thread [1308:1352] 000007fefacd341c Thread [1308:1356] 000007fefacd3a2c Thread [1308:1360] 000007fefacd3768 Thread [1308:1364] 000007fefacd5c20 Thread [1308:1856] 00000000778bf480 Thread [1308:2388] 000007fefacd3900 Thread [1308:2116] 000007fef1dabd70 Thread [1308:2108] 00000000778bf480 Thread [1308:1580] 000007fefda16e60 Thread [1308:4612] 000007fef8895170 Thread [1308:4504] 000007fef0f883d8 Thread [1308:3824] 000007fef0f883d8 Thread [1308:3308] 000007fef0053f1c Thread [1308:768] 000007fefbc222b8 Thread [1308:3652] 000007fefbc21a38 Thread [1308:4808] 000007fefb785388 Thread [1308:3560] 000007fef13c7738 Thread [1308:1460] 000007fefa2e1f90 Thread [1308:4412] 00000000778bf480 Thread C:\Windows\system32\WLANExt.exe [1400:1512] 0000000180125770 Thread C:\Windows\system32\WLANExt.exe [1400:1516] 00000001800c4b60 Thread C:\Windows\system32\WLANExt.exe [1400:1524] 0000000180125770 Thread C:\Windows\system32\WLANExt.exe [1400:1628] 000007fefa122f9c Thread C:\Windows\system32\WLANExt.exe [1400:1868] 00000000008c8bf8 Thread C:\Windows\system32\WLANExt.exe [1400:1872] 00000000008c8c14 Thread C:\Windows\system32\WLANExt.exe [1400:1876] 00000000008c8bdc Thread C:\Windows\system32\WLANExt.exe [1400:1880] 000007fefa122f9c Thread [1500:1544] 000007fefde4a808 Thread [1500:1548] 00000000778ba7b0 Thread [1500:2444] 000007fef73a8a30 Thread [1500:2476] 000007fef64510c8 Thread [1500:2488] 000007fef6416144 Thread [1500:2496] 000007fef63c5fd0 Thread [1500:2500] 000007fef63b3438 Thread [1500:2504] 000007fef63c63ec Thread [1500:2520] 000007fef90e5e5c Thread [1500:2532] 000007fef8af5074 Thread [1500:2616] 000007fef349a9c8 Thread [1500:2620] 000007fef349a9c8 Thread [1500:2632] 000007fef349a9c8 Thread [1500:2636] 000007fef349a9c8 Thread [1500:4356] 00000000778bf480 Thread C:\Windows\system32\svchost.exe [1600:1196] 000007fef8fc35c0 Thread C:\Windows\system32\svchost.exe [1600:732] 000007fef8fc5600 Thread C:\Windows\system32\svchost.exe [1600:708] 000007fefa482940 Thread C:\Windows\system32\svchost.exe [1600:3696] 000007fef3fb2a40 Thread C:\Windows\system32\svchost.exe [1600:4824] 000007fef3fb2888 Thread C:\Windows\SysWOW64\ntdll.dll [1848:1928] 00000000013b74bc Thread C:\Windows\SysWOW64\ntdll.dll [1848:2684] 0000000001364f40 Thread C:\Windows\SysWOW64\ntdll.dll [1848:2688] 0000000002954e70 Thread C:\Windows\SysWOW64\ntdll.dll [1848:2692] 0000000002954e70 Thread C:\Windows\SysWOW64\ntdll.dll [1848:2784] 00000000013142c0 Thread C:\Windows\SysWOW64\ntdll.dll [1848:2796] 0000000001370190 Thread C:\Windows\SysWOW64\ntdll.dll [1848:2804] 0000000001370190 Thread C:\Windows\SysWOW64\ntdll.dll [1848:2808] 0000000001370190 Thread C:\Windows\SysWOW64\ntdll.dll [1848:4372] 0000000001370190 Thread C:\Windows\SysWOW64\ntdll.dll [1848:3932] 0000000001356a00 Thread C:\Windows\system32\taskhost.exe [2164:2228] 000007fef90c1f38 Thread C:\Windows\system32\taskhost.exe [2164:2232] 000007fef8812740 Thread C:\Windows\system32\taskhost.exe [2164:2352] 000007fefb221010 Thread C:\Windows\system32\taskhost.exe [2164:1532] 000007fef8895170 Thread C:\Windows\Explorer.EXE [2364:3984] 000007fef1312154 Thread C:\Windows\Explorer.EXE [2364:4012] 000007fefb976204 Thread C:\Windows\Explorer.EXE [2364:5048] 000007feee5c2118 Thread C:\Windows\Explorer.EXE [2364:4492] 000007fefb221010 Thread C:\Windows\Explorer.EXE [2364:4644] 000007fefa122f9c Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2528:2548] 0000000077ad2855 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2528:2560] 0000000075687587 Thread C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2528:2556] 0000000077ac1415 Thread C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [3532:4672] 000007feede24560 Thread C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [3532:4952] 000007feede24560 Thread C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [3532:4976] 000007feede24560 Thread C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [3532:4928] 000007feede24560 Thread C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [3532:4984] 000007feede24560 Thread C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [3532:4336] 000007feede2a918 Thread C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [3532:4964] 000007feede24560 Thread C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [3532:4216] 000007feede24560 Thread C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [3532:4208] 000007feede24560 Thread C:\Program Files (x86)\AVG Secure Search\vprot.exe [5004:4276] 0000000073fe9963 Thread C:\Windows\System32\svchost.exe [4744:2800] 000007feefe09688 Thread [3152:2348] 00000000778ba7b0 Thread [3152:2592] 00000000778bf480 Thread [3152:2960] 00000000778bf480 Thread [3152:5076] 00000000778bf480 Thread [3152:4692] 000007fef63c5fd0 Thread [3152:1144] 000007fef63c63ec Thread [3152:4152] 00000000778bf480 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2364] (GG drive overlay/GG Network S.A.)(2014-04-29 08:15:26) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c26db6554 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c26db6554@5cb524cce6cb 0xF8 0x22 0x9C 0x6D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c26db6554@ccfa00662547 0x28 0xEA 0xAD 0xAD ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001c26db6554 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001c26db6554@5cb524cce6cb 0xF8 0x22 0x9C 0x6D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001c26db6554@ccfa00662547 0x28 0xEA 0xAD 0xAD ... ---- EOF - GMER 2.1 ----