GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-06 19:47:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-7 SAMSUNG_HD502HJ rev.1AJ10001 465,76GB Running: sbokqb11.exe; Driver: C:\Users\Bobek\AppData\Local\Temp\kwddrkog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002da8000 65 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff80002da8042 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\system32\services.exe[636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[308] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1560] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754d8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1560] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f91465 2 bytes [F9, 74] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f914bb 2 bytes [F9, 74] .text ... * 2 .text C:\Windows\Explorer.EXE[1860] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\system32\rundll32.exe[2020] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\SysWOW64\rundll32.exe[392] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1644] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Program Files (x86)\trolatunt\updatetrolatunt.exe[1424] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2240] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Users\Bobek\AppData\Roaming\uTorrent\uTorrent.exe[2248] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Users\Bobek\AppData\Roaming\uTorrent\uTorrent.exe[2248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f91465 2 bytes [F9, 74] .text C:\Users\Bobek\AppData\Roaming\uTorrent\uTorrent.exe[2248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f914bb 2 bytes [F9, 74] .text ... * 2 .text D:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe[2280] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2384] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754d8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2384] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Program Files (x86)\trolatunt\bin\utiltrolatunt.exe[2692] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Windows\System32\svchost.exe[2748] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3776] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe[3188] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\system32\rundll32.exe[6148] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Windows\SysWOW64\rundll32.exe[6236] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Users\Bobek\AppData\Local\GG\Application\gghub.exe[7276] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Users\Bobek\Downloads\OTL.exe[10580] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] .text C:\Users\Bobek\Downloads\OTL.exe[10580] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000074f91465 2 bytes [F9, 74] .text C:\Users\Bobek\Downloads\OTL.exe[10580] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000074f914bb 2 bytes [F9, 74] .text ... * 2 .text C:\Users\Bobek\Downloads\FRST64.exe[12044] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007727ef8d 1 byte [62] .text C:\Users\Bobek\Downloads\sbokqb11.exe[11864] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000754fa2fd 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\rundll32.exe [6236:7148] 0000000065a54a50 Thread C:\Windows\SysWOW64\rundll32.exe [6236:6484] 0000000063c11290 ---- Processes - GMER 2.1 ---- Library C:\Users\Bobek\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1860] (GG drive menu/GG Network S.A.)(201 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{DE492C39-9DD2-457F-BF70-D159BD0FC8B9}@LeaseObtainedTime 1410024967 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{DE492C39-9DD2-457F-BF70-D159BD0FC8B9}@T1 1410025243 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{DE492C39-9DD2-457F-BF70-D159BD0FC8B9}@T2 1410025468 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{DE492C39-9DD2-457F-BF70-D159BD0FC8B9}@LeaseTerminatesTime 1410025567 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----