GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-30 23:21:14 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 Hitachi_HTS547550A9E384 rev.JE3OA60B 465.76GB Running: mtd4qw46.exe; Driver: C:\Users\pc\AppData\Local\Temp\uxdoqpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\System32\drivers\USBPORT.SYS!DllUnload + 1 fffff8800842e4c1 11 bytes {MOV RAX, 0xfffffa800649b2a0; JMP RAX} .text C:\windows\System32\win32k.sys!W32pServiceTable fffff96000177c00 7 bytes [00, 12, 81, 01, 00, 1B, F2] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000177c08 7 bytes [01, 18, C0, FF, 00, D7, DA] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\atiesrxx.exe[968] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fea962177a 4 bytes [62, A9, FE, 07] .text C:\windows\system32\atiesrxx.exe[968] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fea9621782 4 bytes [62, A9, FE, 07] .text C:\windows\system32\atieclxx.exe[1032] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fea962177a 4 bytes [62, A9, FE, 07] .text C:\windows\system32\atieclxx.exe[1032] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fea9621782 4 bytes [62, A9, FE, 07] .text C:\windows\system32\atieclxx.exe[1032] C:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fea3ed1b32 4 bytes [ED, A3, FE, 07] .text C:\windows\system32\atieclxx.exe[1032] C:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fea3ed1b3a 4 bytes [ED, A3, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1228] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fea3651532 4 bytes [65, A3, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1228] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fea365153a 4 bytes [65, A3, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1228] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fea365165a 4 bytes [65, A3, FE, 07] .text C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesService64.exe[2680] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fea962177a 4 bytes [62, A9, FE, 07] .text C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesService64.exe[2680] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fea9621782 4 bytes [62, A9, FE, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[2724] C:\windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fea962177a 4 bytes [62, A9, FE, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[2724] C:\windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fea9621782 4 bytes [62, A9, FE, 07] .text C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesApp64.exe[1944] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fea962177a 4 bytes [62, A9, FE, 07] .text C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesApp64.exe[1944] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fea9621782 4 bytes [62, A9, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3600] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fea3651532 4 bytes [65, A3, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3600] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fea365153a 4 bytes [65, A3, FE, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3600] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fea365165a 4 bytes [65, A3, FE, 07] .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[1344] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fea3651532 4 bytes [65, A3, FE, 07] .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[1344] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fea365153a 4 bytes [65, A3, FE, 07] .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[1344] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fea365165a 4 bytes [65, A3, FE, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4144] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fea962177a 4 bytes [62, A9, FE, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4144] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fea9621782 4 bytes [62, A9, FE, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3324] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fea962177a 4 bytes [62, A9, FE, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3324] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fea9621782 4 bytes [62, A9, FE, 07] .text C:\Windows\explorer.exe[1796] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fea3651532 4 bytes [65, A3, FE, 07] .text C:\Windows\explorer.exe[1796] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fea365153a 4 bytes [65, A3, FE, 07] .text C:\Windows\explorer.exe[1796] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fea365165a 4 bytes [65, A3, FE, 07] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\System32\drivers\pci.sys[ntoskrnl.exe!IofCallDriver] [fffff88000e66710] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80064af2c0 Device \FileSystem\fastfat \Fat fffffa8007ddb2c0 Device \Driver\storahci \Device\Dev_fffffa80073c1060 fffffa800fcd90b0 Device \Driver\usbohci \Device\USBPDO-5 fffffa800649d2c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa800649d2c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa800649d2c0 Device \Driver\storahci \Device\RaidPort0 fffffa80064b12c0 Device \Driver\cdrom \Device\CdRom0 fffffa80064a12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1FA4E9FA-03FF-4F8F-AE9A-207AACBF5F9E} fffffa80064a92c0 Device \Driver\storahci \Device\00000039 fffffa80064b12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D4D2BBA6-4199-4BD7-8361-93D9B9DD324D} fffffa80064a92c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa80064a32c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa80064a32c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{07BB2D45-0913-4EBB-A107-B6E79BE49190} fffffa80064a92c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{105F66C4-6796-4B7C-866E-A5BD9CEEB657} fffffa80064a92c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa800649d2c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa800649d2c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa800649d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80064a92c0 Device \Driver\usbehci \Device\USBPDO-4 fffffa80064a32c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa80064a32c0 Device \Driver\storahci \Device\ScsiPort0 fffffa80064b12c0 Device \Driver\storahci \Device\00000038 fffffa80064b12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{EE90CA58-1AF2-4A33-B376-213A8AFEE0F7} fffffa80064a92c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80064b12c0]<< sptd.sys storport.sys hal.dll storahci.sys fffffa80064b12c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007520060] fffffa8007520060 Trace 3 CLASSPNP.SYS[fffff88001b85e0a] -> nt!IofCallDriver -> \Device\00000038[0xfffffa80073c1060] fffffa80073c1060 Trace \Driver\storahci[0xfffffa80073c4aa0] -> IRP_MJ_CREATE -> 0xfffffa80064b12c0 fffffa80064b12c0 ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\csrss.exe [652:684] fffff960008fc5e8 Thread C:\windows\system32\svchost.exe [484:6308] 000007fe9de816b0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\explorer.exe [1796] (GG drive overlay/GG Network S.A.)(2014-03-29 17:03:59) 000000005c080000 Library C:\Users\pc\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\explorer.exe [1796] (GG drive menu/GG Network S.A.)(2014-03-2 000000005ff80000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----