GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-12 17:40:58 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000039 Hitachi_HTS547550A9E384 rev.JE3OA60B 465.76GB Running: hibxpypi.exe; Driver: C:\Users\pc\AppData\Local\Temp\uxdoqpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\System32\win32k.sys!W32pServiceTable fffff96000230900 7 bytes [00, CE, 7F, 01, 00, FF, F1] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000230908 7 bytes [01, FE, BF, FF, 00, CF, DA] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\atieclxx.exe[5864] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb51b6177a 4 bytes [B6, 51, FB, 07] .text C:\windows\system32\atieclxx.exe[5864] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb51b61782 4 bytes [B6, 51, FB, 07] .text C:\windows\system32\atieclxx.exe[5864] C:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fb4b1d1b32 4 bytes [1D, 4B, FB, 07] .text C:\windows\system32\atieclxx.exe[5864] C:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fb4b1d1b3a 4 bytes [1D, 4B, FB, 07] .text C:\windows\Explorer.EXE[4704] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb4bfa1532 4 bytes [FA, 4B, FB, 07] .text C:\windows\Explorer.EXE[4704] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb4bfa153a 4 bytes [FA, 4B, FB, 07] .text C:\windows\Explorer.EXE[4704] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb4bfa165a 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1884] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb4bfa1532 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1884] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb4bfa153a 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1884] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb4bfa165a 4 bytes [FA, 4B, FB, 07] .text C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesApp64.exe[3464] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb51b6177a 4 bytes [B6, 51, FB, 07] .text C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesApp64.exe[3464] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb51b61782 4 bytes [B6, 51, FB, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4200] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb4bfa1532 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4200] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb4bfa153a 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4200] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb4bfa165a 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[5680] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb4bfa1532 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[5680] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb4bfa153a 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe[5680] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb4bfa165a 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3868] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb51b6177a 4 bytes [B6, 51, FB, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3868] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb51b61782 4 bytes [B6, 51, FB, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3988] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb51b6177a 4 bytes [B6, 51, FB, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[3988] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb51b61782 4 bytes [B6, 51, FB, 07] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3400] C:\windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fb51b6177a 4 bytes [B6, 51, FB, 07] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3400] C:\windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fb51b61782 4 bytes [B6, 51, FB, 07] .text C:\Program Files\Internet Explorer\iexplore.exe[2376] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb4bfa1532 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\Internet Explorer\iexplore.exe[2376] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb4bfa153a 4 bytes [FA, 4B, FB, 07] .text C:\Program Files\Internet Explorer\iexplore.exe[2376] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb4bfa165a 4 bytes [FA, 4B, FB, 07] .text C:\windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[6300] C:\windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fb51b6177a 4 bytes [B6, 51, FB, 07] .text C:\windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[6300] C:\windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fb51b61782 4 bytes [B6, 51, FB, 07] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\System32\drivers\pci.sys[ntoskrnl.exe!IofCallDriver] [fffff88001434dac] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortDebugPrint] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortNotification] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortGetBusData] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortGetScatterGatherList] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortInitialize] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortGetUncachedExtension] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortExtendedFunction] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortQuerySystemTime] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortStallExecution] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortGetPhysicalAddress] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortFreeRegistryBuffer] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortGetDeviceBase] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortAllocateRegistryBuffer] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortRegistryRead] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortDeviceBusy] [?] IAT C:\windows\System32\Drivers\abs6w96f.SYS[storport.sys!StorPortSetDeviceQueueDepth] [?] ---- Devices - GMER 2.1 ---- Device \Driver\abs6w96f \Device\Scsi\abs6w96f1 fffffa80064fe2c0 Device \FileSystem\Ntfs \Ntfs fffffa80064792c0 Device \FileSystem\fastfat \Fat fffffa80064fc2c0 Device \Driver\usbohci \Device\USBPDO-5 fffffa80064672c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa80064672c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa80064672c0 Device \Driver\storahci \Device\RaidPort0 fffffa800647b2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80064712c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1FA4E9FA-03FF-4F8F-AE9A-207AACBF5F9E} fffffa80064732c0 Device \Driver\storahci \Device\00000039 fffffa800647b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D4D2BBA6-4199-4BD7-8361-93D9B9DD324D} fffffa80064732c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa80064692c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa80064692c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{07BB2D45-0913-4EBB-A107-B6E79BE49190} fffffa80064732c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80065042c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{105F66C4-6796-4B7C-866E-A5BD9CEEB657} fffffa80064732c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa80064672c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa80064672c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa80064672c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80064732c0 Device \Driver\usbehci \Device\USBPDO-4 fffffa80064692c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa80064692c0 Device \Driver\storahci \Device\ScsiPort0 fffffa800647b2c0 Device \Driver\abs6w96f \Device\ScsiPort1 fffffa80064fe2c0 Device \Driver\storahci \Device\0000003a fffffa800647b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{EE90CA58-1AF2-4A33-B376-213A8AFEE0F7} fffffa80064732c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa800647b2c0]<< sptd.sys storport.sys hal.dll storahci.sys fffffa800647b2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800758b060] fffffa800758b060 Trace 3 CLASSPNP.SYS[fffff88000a01e0a] -> nt!IofCallDriver -> \Device\00000039[0xfffffa80073bc060] fffffa80073bc060 Trace \Driver\storahci[0xfffffa80073c15c0] -> IRP_MJ_CREATE -> 0xfffffa800647b2c0 fffffa800647b2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\abs6w96f.SYS (MS AHCI Storport Miniport Driver/Microsoft Corporation SIGNED)(2013-09-30 20:19:45) fffff88005edb000-fffff88005f2c000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\csrss.exe [5340:4160] fffff960008565e8 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [4704] (GG drive overlay/GG Network S.A.)(2014-03-29 17:03:59) 000000005c080000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Program Files\Internet Explorer\iexplore.exe [2376] (GG drive overlay/GG Network S.A.)(2014-03-29 17:03:59) 0000000000ea0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----