GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-07 19:48:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2 Maxtor_6L200M0 rev.BANC1G10 189,92GB Running: GMER.exe; Driver: C:\Users\Kamil\AppData\Local\Temp\kwddqpod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002db4000 40 bytes [48, 8B, C2, 48, D3, C0, 49, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 569 fffff80002db4029 4 bytes [8B, 8C, 24, A4] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000775c1401 2 bytes JMP 773cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000775c1419 2 bytes JMP 773cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000775c1431 2 bytes JMP 77448ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000775c144a 2 bytes CALL 773a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000775c14dd 2 bytes JMP 774487a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000775c14f5 2 bytes JMP 77448978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000775c150d 2 bytes JMP 77448698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000775c1525 2 bytes JMP 77448a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000775c153d 2 bytes JMP 773bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000775c1555 2 bytes JMP 773c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000775c156d 2 bytes JMP 77448f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000775c1585 2 bytes JMP 77448ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000775c159d 2 bytes JMP 7744865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000775c15b5 2 bytes JMP 773bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000775c15cd 2 bytes JMP 773cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000775c16b2 2 bytes JMP 77448e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2388] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000775c16bd 2 bytes JMP 774485f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\USER32.dll!DrawIconEx 0000000075b74f4f 5 bytes JMP 00000001037a1120 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\USER32.dll!GetIconInfo 0000000075b75029 5 bytes JMP 00000001037a1030 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\USER32.dll!GetCursor 0000000075b8f1bb 5 bytes JMP 00000001037a1080 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000775c1401 2 bytes JMP 773cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000775c1419 2 bytes JMP 773cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000775c1431 2 bytes JMP 77448ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000775c144a 2 bytes CALL 773a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000775c14dd 2 bytes JMP 774487a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000775c14f5 2 bytes JMP 77448978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000775c150d 2 bytes JMP 77448698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000775c1525 2 bytes JMP 77448a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000775c153d 2 bytes JMP 773bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000775c1555 2 bytes JMP 773c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000775c156d 2 bytes JMP 77448f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000775c1585 2 bytes JMP 77448ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000775c159d 2 bytes JMP 7744865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000775c15b5 2 bytes JMP 773bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000775c15cd 2 bytes JMP 773cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000775c16b2 2 bytes JMP 77448e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000775c16bd 2 bytes JMP 774485f1 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [2736] entry point in ".rdata" section 0000000071b171e6 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c0fe14 5 bytes JMP 0000000174641000 .text C:\Program Files\Windows Sidebar\sidebar.exe[4104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a61650 5 bytes JMP 0000000077bc0018 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4888] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c0fe14 5 bytes JMP 0000000174641000 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4888] C:\Windows\syswow64\USER32.dll!DrawIconEx 0000000075b74f4f 5 bytes JMP 0000000110001120 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4888] C:\Windows\syswow64\USER32.dll!GetIconInfo 0000000075b75029 5 bytes JMP 0000000110001030 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4888] C:\Windows\syswow64\USER32.dll!GetCursor 0000000075b8f1bb 5 bytes JMP 0000000110001080 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3380] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c0fe14 5 bytes JMP 0000000174641000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2120] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c0fe14 5 bytes JMP 0000000174641000 .text C:\Windows\SysWOW64\ctfmon.exe[4024] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c0fe14 5 bytes JMP 0000000174641000 .text C:\Users\Kamil\Desktop\GMER.exe[9008] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077c0fe14 5 bytes JMP 0000000174641000 .text C:\Users\Kamil\Desktop\GMER.exe[9008] C:\Windows\syswow64\USER32.dll!DrawIconEx 0000000075b74f4f 5 bytes JMP 0000000110001120 .text C:\Users\Kamil\Desktop\GMER.exe[9008] C:\Windows\syswow64\USER32.dll!GetIconInfo 0000000075b75029 5 bytes JMP 0000000110001030 .text C:\Users\Kamil\Desktop\GMER.exe[9008] C:\Windows\syswow64\USER32.dll!GetCursor 0000000075b8f1bb 5 bytes JMP 0000000110001080 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1144:1496] 000007fef94f331c Thread C:\Windows\System32\svchost.exe [1144:3708] 000007fefa3a20c0 Thread C:\Windows\System32\svchost.exe [1144:3672] 000007fef43214a0 Thread C:\Windows\System32\svchost.exe [1144:3788] 000007fefa3a26a8 Thread C:\Windows\System32\svchost.exe [1144:3760] 000007fefa3a29dc Thread C:\Windows\System32\svchost.exe [1144:3768] 000007fefa3a29dc Thread C:\Windows\System32\svchost.exe [1144:4596] 000007fef32ba2b0 Thread C:\Windows\System32\svchost.exe [1144:4628] 000007fef4c844e0 Thread C:\Windows\System32\svchost.exe [1144:6096] 000007fef4e589b8 Thread C:\Windows\System32\spoolsv.exe [1856:4732] 000007fef29310c8 Thread C:\Windows\System32\spoolsv.exe [1856:4692] 000007fef20b6144 Thread C:\Windows\System32\spoolsv.exe [1856:4760] 000007fef2065fd0 Thread C:\Windows\System32\spoolsv.exe [1856:4780] 000007fef2743438 Thread C:\Windows\System32\spoolsv.exe [1856:4788] 000007fef20663ec Thread C:\Windows\System32\spoolsv.exe [1856:4836] 000007fef32e5e5c Thread C:\Windows\System32\spoolsv.exe [1856:4872] 000007fef1f45074 Thread C:\Windows\system32\taskhost.exe [1924:1952] 000007fef8452740 Thread C:\Windows\system32\taskhost.exe [1924:1976] 000007fef71b1f38 Thread C:\Windows\system32\taskhost.exe [1924:2092] 000007fef9ae1010 Thread C:\Windows\system32\taskhost.exe [1924:3924] 000007fef6795170 Thread C:\Windows\system32\svchost.exe [4328:4540] 000007fef3758470 Thread C:\Windows\system32\svchost.exe [4328:4552] 000007fef3762418 Thread C:\Windows\System32\WUDFHost.exe [4640:5032] 000007fef2de24a0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [4104:4740] 000007feeae820e0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [4104:2168] 000007feea526230 Thread C:\Program Files\Windows Sidebar\sidebar.exe [4104:3244] 000007feea526230 Thread C:\Program Files\Windows Sidebar\sidebar.exe [4104:4772] 000007fef1abf5a0 Thread C:\Program Files\Windows Sidebar\sidebar.exe [4104:1396] 000007fef27c9fe4 Thread C:\Program Files\Windows Sidebar\sidebar.exe [4104:3376] 000007fef27c98ac Thread C:\Program Files\Windows Sidebar\sidebar.exe [4104:1580] 000007feea526230 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1896] (GG drive overlay/GG Network S.A.)(2014-03-13 20:29:46) 000000005c080000 ---- EOF - GMER 2.1 ----