GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-25 17:35:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 TOSHIBA_MQ01ABD050 rev.AX001U 465,76GB Running: d37htgmb.exe; Driver: C:\Users\x\AppData\Local\Temp\axloruog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 666 fffff800031ed08a 7 bytes [00, 00, 00, 00, 00, 00, 03] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 674 fffff800031ed092 4 bytes [00, 00, 00, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\svchost.exe[284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007783ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007783ef8d 1 byte [62] .text C:\ProgramData\IePluginServices\PluginService.exe[1344] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1388] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1440] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Windows\Explorer.EXE[1384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007783ef8d 1 byte [62] .text C:\Program Files\Common Files\ShopperPro\spbiu.exe[2244] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007783ef8d 1 byte [62] .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2316] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe[2568] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Users\x\AppData\Roaming\uTorrent\uTorrent.exe[1468] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3592] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075508791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3592] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\ProgramData\d2446020-ddff-402b-b064-199d2ce66b2b\maintainer.exe[3876] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Program Files (x86)\AdvanceElite\bin\utilAdvanceElite.exe[4892] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Program Files (x86)\AdvanceElite\bin\AdvanceElite.BrowserAdapter.exe[4200] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Program Files (x86)\AdvanceElite\bin\AdvanceElite.BOASHelper.exe[5088] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Program Files (x86)\AdvanceElite\updateAdvanceElite.exe[5876] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Program Files (x86)\ShopperPro\JSDriver\1.38.0.1425\jsdrv.exe[5864] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] .text C:\Users\x\Downloads\d37htgmb.exe[5428] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007552a2fd 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1008:808] 000007fefb8ef2c0 Thread C:\Windows\System32\svchost.exe [1008:472] 000007fefb886204 Thread C:\Windows\System32\svchost.exe [1008:1124] 000007fefb435428 Thread C:\Windows\System32\svchost.exe [1008:5196] 000007fef1d06b8c Thread C:\Windows\System32\svchost.exe [1008:5204] 000007fef1d01d88 Thread C:\Windows\System32\svchost.exe [1008:5956] 000007fefb433118 Thread C:\Windows\System32\svchost.exe [1008:3176] 000007fefb5c2070 Thread C:\Windows\System32\spoolsv.exe [1704:1812] 000007fef9b510c8 Thread C:\Windows\System32\spoolsv.exe [1704:2016] 000007fef9b16144 Thread C:\Windows\System32\spoolsv.exe [1704:1240] 000007fef98b5fd0 Thread C:\Windows\System32\spoolsv.exe [1704:1596] 000007fef98a3438 Thread C:\Windows\System32\spoolsv.exe [1704:2012] 000007fef98b63ec Thread C:\Windows\System32\spoolsv.exe [1704:2068] 000007fefa8f5e5c Thread C:\Windows\System32\spoolsv.exe [1704:2072] 000007fefa455074 Thread C:\Windows\System32\WUDFHost.exe [996:2204] 000007fef7c024a0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2344:3540] 000007fef4e820e0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2344:3856] 000007fef4526230 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2344:3824] 000007fef4526230 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2344:3452] 000007fef2d1f5a0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2344:3364] 000007fef2cf9fe4 Thread C:\Program Files\Windows Sidebar\sidebar.exe [2344:3588] 000007fef2cf98ac Thread C:\Program Files\Windows Sidebar\sidebar.exe [2344:2440] 000007fef4526230 Thread C:\Windows\system32\taskhost.exe [3116:3144] 000007fef5ca2740 Thread C:\Windows\system32\taskhost.exe [3116:3192] 000007fef5bd1f38 Thread C:\Windows\system32\taskhost.exe [3116:3208] 000007fef6d61010 Thread C:\Windows\system32\taskhost.exe [3116:3388] 000007fef3e25170 Thread C:\Windows\System32\svchost.exe [4052:3492] 000007fef1719688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2080:4880] 000007fefbce2bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2080:4584] 000007feeed34830 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2080:3504] 000007fef8b35124 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2756:4780] 000007feedacfe98 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2756:5328] 000007feedc100bc Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2756:3660] 000007fefe08a808 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2756:4512] 000007feedc100bc ---- Processes - GMER 2.1 ---- Process C:\ProgramData\IePluginServices\PluginService.exe (*** suspicious ***) @ C:\ProgramData\IePluginServices\PluginService.exe [1344](2 00000000008d0000 Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1388] (WindowsProtectManger Service/Fuyu LIMITED)(2014-09-24 14:06:35) 0000000000a00000 Library C:\Users\x\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1384] (GG drive menu/GG Network S.A.)(2014-05-16 000000005ff80000 ---- EOF - GMER 2.1 ----