GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-17 19:56:11 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD75 rev.02.0 698,64GB Running: vvz3wr1i.exe; Driver: C:\Users\Emilka\AppData\Local\Temp\awrdqpog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076881401 2 bytes JMP 76e0b21b C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076881419 2 bytes JMP 76e0b346 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076881431 2 bytes JMP 76e88fd1 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007688144a 2 bytes CALL 76de489d C:\windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768814dd 2 bytes JMP 76e888c4 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768814f5 2 bytes JMP 76e88aa0 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007688150d 2 bytes JMP 76e887ba C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076881525 2 bytes JMP 76e88b8a C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007688153d 2 bytes JMP 76dffca8 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076881555 2 bytes JMP 76e068ef C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007688156d 2 bytes JMP 76e89089 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076881585 2 bytes JMP 76e88bea C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007688159d 2 bytes JMP 76e8877e C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768815b5 2 bytes JMP 76dffd41 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768815cd 2 bytes JMP 76e0b2dc C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768816b2 2 bytes JMP 76e88f4c C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe[2328] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768816bd 2 bytes JMP 76e88713 C:\windows\syswow64\KERNEL32.dll ? C:\windows\system32\mssprxy.dll [2716] entry point in ".rdata" section 000000006b4371e6 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076881401 2 bytes JMP 76e0b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076881419 2 bytes JMP 76e0b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076881431 2 bytes JMP 76e88fd1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007688144a 2 bytes CALL 76de489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768814dd 2 bytes JMP 76e888c4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768814f5 2 bytes JMP 76e88aa0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007688150d 2 bytes JMP 76e887ba C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076881525 2 bytes JMP 76e88b8a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007688153d 2 bytes JMP 76dffca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076881555 2 bytes JMP 76e068ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007688156d 2 bytes JMP 76e89089 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076881585 2 bytes JMP 76e88bea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007688159d 2 bytes JMP 76e8877e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768815b5 2 bytes JMP 76dffd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768815cd 2 bytes JMP 76e0b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768816b2 2 bytes JMP 76e88f4c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3016] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768816bd 2 bytes JMP 76e88713 C:\windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4396:5020] 000007fefbc02ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4396:5028] 000007feefcd5648 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4396:3312] 000007fef9305124 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [1420] (GG drive overlay/GG Network S.A.)(2014-02-03 21:06:09) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\3859f9fa7f9c Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\3859f9fa7f9c@9463d13e0b70 0x1B 0x59 0x8B 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{9144996E-342E-40DD-B960-D388F46E77B7}@LeaseObtainedTime 1445100844 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{9144996E-342E-40DD-B960-D388F46E77B7}@T1 1445100971 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{9144996E-342E-40DD-B960-D388F46E77B7}@T2 1445101067 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{9144996E-342E-40DD-B960-D388F46E77B7}@LeaseTerminatesTime 1445101099 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\3859f9fa7f9c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\3859f9fa7f9c@9463d13e0b70 0x1B 0x59 0x8B 0x12 ... ---- EOF - GMER 2.1 ----