GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-11 04:52:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP4T0L0-5 SAMSUNG_HD322IJ rev.1AC01113 298,09GB Running: vu2g2btf.exe; Driver: C:\Users\nostra\AppData\Local\Temp\uwrdqpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1776] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075758781 4 bytes [C2, 04, 00, 00] .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074ec1401 2 bytes JMP 7577b21b C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074ec1419 2 bytes JMP 7577b346 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074ec1431 2 bytes JMP 757f8fd1 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074ec144a 2 bytes CALL 7575489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074ec14dd 2 bytes JMP 757f88c4 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074ec14f5 2 bytes JMP 757f8aa0 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074ec150d 2 bytes JMP 757f87ba C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074ec1525 2 bytes JMP 757f8b8a C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074ec153d 2 bytes JMP 7576fca8 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074ec1555 2 bytes JMP 757768ef C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074ec156d 2 bytes JMP 757f9089 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074ec1585 2 bytes JMP 757f8bea C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074ec159d 2 bytes JMP 757f877e C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074ec15b5 2 bytes JMP 7576fd41 C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074ec15cd 2 bytes JMP 7577b2dc C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074ec16b2 2 bytes JMP 757f8f4c C:\Windows\syswow64\kernel32.dll .text E:\Program Files (x86)\RocketDock\RocketDock.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074ec16bd 2 bytes JMP 757f8713 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001051e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001051c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001052654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001052a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010528ac] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\ataport.SYS[ntoskrnl.exe!KeInsertQueueDpc] [fffffa800398c840] [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort4 fffffa80043352c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80043352c0 Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-6 fffffa80043352c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 fffffa80043352c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80043352c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80043352c0 Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-5 fffffa80043352c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80043352c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80043352c0 Device \FileSystem\Ntfs \Ntfs fffffa80043392c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa80043e12c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa8004df42c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80043e12c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa8004df42c0 Device \Driver\VClone \Device\RaidPort0 fffffa80050092c0 Device \Driver\cdrom \Device\CdRom0 fffffa80047452c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D7428111-7E0A-412A-A6F7-A697A0C3D58F} fffffa8004ca82c0 Device \Driver\cdrom \Device\CdRom1 fffffa80047452c0 Device \Driver\cdrom \Device\CdRom2 fffffa80047452c0 Device \Driver\VClone \Device\0000006b fffffa80050092c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa8004df42c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa8004df42c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa8004df42c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa8004df42c0 Device \Driver\VClone \Device\0000006c fffffa80050092c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa80043e12c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa8004df42c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80043e12c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa8004df42c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004ca82c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa8004df42c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa8004df42c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80043352c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa8004df42c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa8004df42c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80043352c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80043352c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80043352c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80043352c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80043352c0 Device \Driver\VClone \Device\ScsiPort6 fffffa80050092c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80043352c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80043352c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa80045cf060] fffffa80045cf060 Trace 3 CLASSPNP.SYS[fffff8800145143f] -> nt!IofCallDriver -> [0xfffffa8004333e40] fffffa8004333e40 Trace 5 ACPI.sys[fffff880011767a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-5[0xfffffa800444d680] fffffa800444d680 Trace \Driver\atapi[0xfffffa800442d2e0] -> IRP_MJ_CREATE -> 0xfffffa80043352c0 fffffa80043352c0 ---- Processes - GMER 2.1 ---- Library C:\Users\nostra\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2280] (GG drive menu/GG Network S.A.)(2 000000005ff80000 ---- Files - GMER 2.1 ---- File C:\Windows\winsxs\amd64_microsoft-windows-security-credssp_31bf3856ad364e35_6.1.7601.19045_none_21be9056b8473dbb 0 bytes File C:\Windows\winsxs\amd64_microsoft-windows-security-credssp_31bf3856ad364e35_6.1.7601.19045_none_21be9056b8473dbb\tspkg.mof 964 bytes File C:\Windows\winsxs\x86_microsoft-windows-security-credssp_31bf3856ad364e35_6.1.7601.23250_none_c619c226191406b4 0 bytes File C:\Windows\winsxs\x86_microsoft-windows-security-credssp_31bf3856ad364e35_6.1.7601.23250_none_c619c226191406b4\tspkg.mof 964 bytes File C:\Windows\winsxs\amd64_microsoft-windows-security-credssp_31bf3856ad364e35_6.1.7601.23250_none_22385da9d17177ea 0 bytes File C:\Windows\winsxs\amd64_microsoft-windows-security-credssp_31bf3856ad364e35_6.1.7601.23250_none_22385da9d17177ea\tspkg.mof 964 bytes File C:\Windows\winsxs\wow64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.19045_none_0ea593fba7e3331b 0 bytes File C:\Windows\winsxs\wow64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.19045_none_0ea593fba7e3331b\lsasrv.mof 13780 bytes File C:\Windows\winsxs\wow64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.23250_none_0f1f614ec10d6d4a 0 bytes File C:\Windows\winsxs\wow64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.23250_none_0f1f614ec10d6d4a\lsasrv.mof 13780 bytes File C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.23250_none_04cab6fc8cacab4f 0 bytes File C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.23250_none_04cab6fc8cacab4f\lsasrv.mof 13780 bytes File C:\Windows\winsxs\x86_microsoft-windows-security-credssp_31bf3856ad364e35_6.1.7601.19045_none_c59ff4d2ffe9cc85 0 bytes File C:\Windows\winsxs\x86_microsoft-windows-security-credssp_31bf3856ad364e35_6.1.7601.19045_none_c59ff4d2ffe9cc85\tspkg.mof 964 bytes File C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.23250_none_b9a6e66c9c885361 0 bytes File C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.23250_none_b9a6e66c9c885361\winload.exe 634432 bytes executable File C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.23250_none_b9a6e66c9c885361\winresume.exe 546656 bytes executable File C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.23250_none_c7b8c364bcac1132 0 bytes File C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.23250_none_c7b8c364bcac1132\winload.exe 634432 bytes executable File C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.23250_none_c7b8c364bcac1132\winresume.exe 546656 bytes executable ---- EOF - GMER 2.1 ----