GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-16 19:45:00 Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD800BEVT-75ZCT2 rev.11.01A11 74,53GB Running: gmer.exe; Driver: C:\Users\Adam\AppData\Local\Temp\uwddapod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2524] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076391ab6 4 bytes [C2, 04, 00, 00] .text C:\Windows\SysWOW64\vmnat.exe[2904] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 4 0000000073701348 2 bytes JMP 75709f91 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[2904] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 29 0000000073701361 2 bytes JMP 7673c4e6 C:\Windows\syswow64\msvcrt.dll .text ... * 32 .text C:\Windows\SysWOW64\vmnat.exe[2904] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 22 000000007370155e 2 bytes CALL 756dd889 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[2904] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 43 0000000073701573 2 bytes CALL 76390c79 C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1960] (GG drive overlay/GG Network S.A.)(2015-03-30 16:48:59) 000000005c080000 Library C:\Users\Adam\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1960] (GG drive menu/GG Network S.A.)(2015- 000000005ff80000 Process C:\ProgramData\DatacardService\HWDeviceService64.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\HWDeviceService64.exe [2660](2011-03-14 15:27:34) 000000013f130000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [2744] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2011-03-14 15:27:28) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----