GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-24 23:49:30 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST1000LM rev.2AR1 931,51GB Running: gmer.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076de1401 2 bytes JMP 7758b21b C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076de1419 2 bytes JMP 7758b346 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076de1431 2 bytes JMP 77608f29 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076de144a 2 bytes CALL 7756489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076de14dd 2 bytes JMP 77608822 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076de14f5 2 bytes JMP 776089f8 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076de150d 2 bytes JMP 77608718 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076de1525 2 bytes JMP 77608ae2 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076de153d 2 bytes JMP 7757fca8 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076de1555 2 bytes JMP 775868ef C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076de156d 2 bytes JMP 77608fe3 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076de1585 2 bytes JMP 77608b42 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076de159d 2 bytes JMP 776086dc C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076de15b5 2 bytes JMP 7757fd41 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076de15cd 2 bytes JMP 7758b2dc C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076de16b2 2 bytes JMP 77608ea4 C:\windows\syswow64\kernel32.dll .text C:\ProgramData\JWinManProJ\WinManPro.exe[1792] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076de16bd 2 bytes JMP 77608671 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076de1401 2 bytes JMP 7758b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076de1419 2 bytes JMP 7758b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076de1431 2 bytes JMP 77608f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076de144a 2 bytes CALL 7756489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076de14dd 2 bytes JMP 77608822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076de14f5 2 bytes JMP 776089f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076de150d 2 bytes JMP 77608718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076de1525 2 bytes JMP 77608ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076de153d 2 bytes JMP 7757fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076de1555 2 bytes JMP 775868ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076de156d 2 bytes JMP 77608fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076de1585 2 bytes JMP 77608b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076de159d 2 bytes JMP 776086dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076de15b5 2 bytes JMP 7757fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076de15cd 2 bytes JMP 7758b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076de16b2 2 bytes JMP 77608ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiniLite\ProtectService.exe[2112] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076de16bd 2 bytes JMP 77608671 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076de1401 2 bytes JMP 7758b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076de1419 2 bytes JMP 7758b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076de1431 2 bytes JMP 77608f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076de144a 2 bytes CALL 7756489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076de14dd 2 bytes JMP 77608822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076de14f5 2 bytes JMP 776089f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076de150d 2 bytes JMP 77608718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076de1525 2 bytes JMP 77608ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076de153d 2 bytes JMP 7757fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076de1555 2 bytes JMP 775868ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076de156d 2 bytes JMP 77608fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076de1585 2 bytes JMP 77608b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076de159d 2 bytes JMP 776086dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076de15b5 2 bytes JMP 7757fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076de15cd 2 bytes JMP 7758b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076de16b2 2 bytes JMP 77608ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2240] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076de16bd 2 bytes JMP 77608671 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000077568781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076de1401 2 bytes JMP 7758b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076de1419 2 bytes JMP 7758b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076de1431 2 bytes JMP 77608f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076de144a 2 bytes CALL 7756489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076de14dd 2 bytes JMP 77608822 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076de14f5 2 bytes JMP 776089f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076de150d 2 bytes JMP 77608718 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076de1525 2 bytes JMP 77608ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076de153d 2 bytes JMP 7757fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076de1555 2 bytes JMP 775868ef C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076de156d 2 bytes JMP 77608fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076de1585 2 bytes JMP 77608b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076de159d 2 bytes JMP 776086dc C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076de15b5 2 bytes JMP 7757fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076de15cd 2 bytes JMP 7758b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076de16b2 2 bytes JMP 77608ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4376] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076de16bd 2 bytes JMP 77608671 C:\windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\taskhost.exe [2288:3728] 000007fefb5e1010 Thread C:\windows\system32\taskhost.exe [2288:4600] 000007fef67c5170 Thread C:\Windows\System32\StikyNot.exe [312:3592] 000007fefdde6e60 Thread C:\Windows\System32\StikyNot.exe [312:1180] 000007fefbe02bf8 Thread C:\Windows\System32\StikyNot.exe [312:4524] 000007fefdde6e60 Thread C:\Windows\System32\StikyNot.exe [312:4528] 000007fefdde6e60 Thread C:\Windows\System32\StikyNot.exe [312:4532] 000007fefdde6e60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3020:4880] 000007fefbe02bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3020:2216] 000007feee375648 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3020:2920] 000007feee375648 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3020:4308] 000007fefadf5124 Thread C:\windows\System32\svchost.exe [4508:5604] 000007fee7479688 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\HWDeviceService64.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\HWDeviceService64.exe [2072](2010-11-16 13:38:16) 000000013fa90000 Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [3108] (GG drive overlay/GG Network S.A.)(2015-01-30 01:31:08) 000000005c080000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [3120] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2010-11-16 13:37:30) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----