GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-04 11:40:42 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000023 ST500LT012-1DG142 rev.0002LVM1 465,76GB Running: gmer.exe; Driver: C:\Users\Say\AppData\Local\Temp\fwldypoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000226a00 15 bytes [00, 2E, F4, 01, 80, A0, 6E, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 17 fffff96000226a11 10 bytes [5E, FC, FF, 00, BB, C7, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\mfevtps.exe[1576] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffa8fc2169a 4 bytes [C2, 8F, FA, 7F] .text C:\WINDOWS\system32\mfevtps.exe[1576] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffa8fc216a2 4 bytes [C2, 8F, FA, 7F] .text C:\WINDOWS\system32\mfevtps.exe[1576] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ffa8fc2181a 4 bytes [C2, 8F, FA, 7F] .text C:\WINDOWS\system32\mfevtps.exe[1576] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ffa8fc21832 4 bytes [C2, 8F, FA, 7F] .text C:\WINDOWS\Explorer.EXE[1816] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa8fc2169a 4 bytes [C2, 8F, FA, 7F] .text C:\WINDOWS\Explorer.EXE[1816] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa8fc216a2 4 bytes [C2, 8F, FA, 7F] .text C:\WINDOWS\Explorer.EXE[1816] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa8fc2181a 4 bytes [C2, 8F, FA, 7F] .text C:\WINDOWS\Explorer.EXE[1816] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa8fc21832 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[1596] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa8fc2169a 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[1596] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa8fc216a2 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[1596] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa8fc2181a 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe[1596] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa8fc21832 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2260] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa8fc2169a 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2260] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa8fc216a2 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2260] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa8fc2181a 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[2260] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa8fc21832 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3652] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffa7b1b1f6a 4 bytes [1B, 7B, FA, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3652] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffa7b1b1f82 4 bytes [1B, 7B, FA, 7F] .text C:\Program Files\Common Files\McAfee\platform\McUICnt.exe[904] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa8fc2169a 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\platform\McUICnt.exe[904] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa8fc216a2 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\platform\McUICnt.exe[904] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa8fc2181a 4 bytes [C2, 8F, FA, 7F] .text C:\Program Files\Common Files\McAfee\platform\McUICnt.exe[904] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa8fc21832 4 bytes [C2, 8F, FA, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [584:608] fffff960008a5b90 ---- Processes - GMER 2.1 ---- Library C:\Users\Say\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [1816] (GG drive menu/GG Network S.A.)(2015-04 000000005ff80000 Library C:\ProgramData\PLAY INTERNET\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe [1836](2015-04-02 07:37:19) 000000006a1c0000 Library C:\ProgramData\PLAY INTERNET\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe [1836](2015-04-02 07:37:20) 000000006ff00000 Library C:\ProgramData\PLAY INTERNET\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe [1836](2015-04-02 07:37:19) 000000006fbc0000 Library C:\ProgramData\PLAY INTERNET\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY INTERNET\OnlineUpdate\ouc.exe [1836](2015-04-02 07:37:19) 000000006e940000 Process C:\Users\Say\AppData\Local\Temp\Rar$EXa0.959\gmer.exe (*** suspicious ***) @ C:\Users\Say\AppData\Local\Temp\Rar$EXa0.959\gmer.exe [5036](2015-04-04 09:35:01) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----