GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-06 19:11:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500420AS rev.D005SDM1 465,76GB Running: 0l3jyugz.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\kwddykog.sys ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\IePluginService\PluginService.exe[1488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000777f1465 2 bytes [7F, 77] .text C:\ProgramData\IePluginService\PluginService.exe[1488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777f14bb 2 bytes [7F, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000777f1465 2 bytes [7F, 77] .text C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777f14bb 2 bytes [7F, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000777f1465 2 bytes [7F, 77] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2616] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777f14bb 2 bytes [7F, 77] .text ... * 2 ---- Processes - GMER 2.1 ---- Library C:\Users\Tomek\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2704] (GG drive menu/GG Network S.A.)(201 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619e3c6fd Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619e3c6fd@002237081730 0xED 0xCF 0xB6 0xAB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619e3c6fd@0c715dc45cd5 0x49 0x0A 0xA7 0x76 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619e3c6fd@dcf11088e5e0 0xE3 0x03 0xC5 0x06 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619e3c6fd (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619e3c6fd@002237081730 0xED 0xCF 0xB6 0xAB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619e3c6fd@0c715dc45cd5 0x49 0x0A 0xA7 0x76 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619e3c6fd@dcf11088e5e0 0xE3 0x03 0xC5 0x06 ... ---- Files - GMER 2.1 ---- File C:\Users\Tomek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LR5OWQU3\frame[1].htm 0 bytes File C:\Users\Tomek\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RXHGAKBH\fJiC8AMIhj3[1].js 224931 bytes File C:\Users\Tomek\AppData\Local\Microsoft\Windows\WebCache\V0100C30.log 524288 bytes File C:\Users\Tomek\AppData\Local\Microsoft\Windows\WebCache\V0100C31.log 524288 bytes File C:\Users\Tomek\AppData\Local\Microsoft\Windows\WebCache\V0100C32.log 524288 bytes File C:\Users\Tomek\AppData\Local\Microsoft\Windows\WebCache\V0100C33.log 524288 bytes File C:\Users\Tomek\AppData\Local\Temp\~DF17A01B3FF69A4AE2.TMP 16384 bytes File C:\Users\Tomek\AppData\Roaming\Microsoft\Windows\Cookies\P8UJK687.txt 0 bytes File C:\Users\Tomek\AppData\Roaming\Microsoft\Windows\Cookies\SUDVRK8N.txt 146 bytes File C:\Users\Tomek\AppData\Roaming\Microsoft\Windows\Cookies\DXRCHMYS.txt 95 bytes File C:\Users\Tomek\AppData\Roaming\Microsoft\Windows\Cookies\9A46KSZP.txt 0 bytes File C:\Users\Tomek\AppData\Roaming\Microsoft\Windows\Cookies\9SGH72KL.txt 108 bytes File C:\Users\Tomek\AppData\Roaming\Microsoft\Windows\Cookies\BFRE6Q5B.txt 0 bytes ---- EOF - GMER 2.1 ----