GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-06 17:14:50 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD75 rev.03.0 698,64GB Running: cgj4m5xz.exe; Driver: C:\Users\sp9sdr\AppData\Local\Temp\fwrdipod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!sendto 0000000076f034b5 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!closesocket 0000000076f03918 5 bytes JMP 0000000100280c6c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!WSASend 0000000076f04406 5 bytes JMP 0000000100280a24 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!recv 0000000076f06b0e 5 bytes JMP 0000000100280228 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!connect 0000000076f06bdd 5 bytes JMP 0000000100280104 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!send 0000000076f06f01 5 bytes JMP 0000000100280470 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000076f07089 5 bytes JMP 00000001002807dc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!recvfrom 0000000076f0b6dc 5 bytes JMP 000000010028034c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!WSARecvFrom 0000000076f0cba6 5 bytes JMP 0000000100280900 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!WSAConnect 0000000076f0cc3f 5 bytes JMP 00000001002806b8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[1240] C:\windows\syswow64\WS2_32.dll!WSASendTo 0000000076f1b30c 5 bytes JMP 0000000100280b48 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!sendto 0000000076f034b5 5 bytes JMP 0000000101290594 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!closesocket 0000000076f03918 5 bytes JMP 0000000101290c6c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!WSASend 0000000076f04406 5 bytes JMP 0000000101290a24 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!recv 0000000076f06b0e 5 bytes JMP 0000000101290228 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!connect 0000000076f06bdd 5 bytes JMP 0000000101290104 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!send 0000000076f06f01 5 bytes JMP 0000000101290470 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000076f07089 5 bytes JMP 00000001012907dc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!recvfrom 0000000076f0b6dc 5 bytes JMP 000000010129034c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!WSARecvFrom 0000000076f0cba6 5 bytes JMP 0000000101290900 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!WSAConnect 0000000076f0cc3f 5 bytes JMP 00000001012906b8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[1616] C:\windows\syswow64\WS2_32.dll!WSASendTo 0000000076f1b30c 5 bytes JMP 0000000101290b48 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!sendto 0000000076f034b5 5 bytes JMP 0000000100200594 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!closesocket 0000000076f03918 5 bytes JMP 0000000100200c6c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!WSASend 0000000076f04406 5 bytes JMP 0000000100200a24 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!recv 0000000076f06b0e 5 bytes JMP 0000000100200228 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!connect 0000000076f06bdd 5 bytes JMP 0000000100200104 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!send 0000000076f06f01 5 bytes JMP 0000000100200470 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000076f07089 5 bytes JMP 00000001002007dc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!recvfrom 0000000076f0b6dc 5 bytes JMP 000000010020034c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!WSARecvFrom 0000000076f0cba6 5 bytes JMP 0000000100200900 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!WSAConnect 0000000076f0cc3f 5 bytes JMP 00000001002006b8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2392] C:\windows\syswow64\WS2_32.dll!WSASendTo 0000000076f1b30c 5 bytes JMP 0000000100200b48 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!WSASend 000007feff4213b0 5 bytes JMP 000007feff470ac0 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!closesocket 000007feff4218e0 5 bytes JMP 000007feff470d30 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!WSARecv 000007feff422200 5 bytes JMP 000007feff470850 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!connect 000007feff4245c0 5 bytes JMP 000007feff470100 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!send 000007feff428000 5 bytes JMP 000007feff4704a8 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!sendto 000007feff42d7f0 5 bytes JMP 000007feff4705e0 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!recv 000007feff42df40 5 bytes JMP 000007feff470238 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!recvfrom 000007feff42eb90 5 bytes JMP 000007feff470370 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!WSASendTo 000007feff42ed50 5 bytes JMP 000007feff470bf8 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!WSAConnect 000007feff44e0f0 5 bytes JMP 000007feff470718 .text C:\windows\Explorer.EXE[2772] C:\windows\system32\WS2_32.dll!WSARecvFrom 000007feff44e6c0 5 bytes JMP 000007feff470988 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!sendto 0000000076f034b5 5 bytes JMP 0000000106fb0594 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!closesocket 0000000076f03918 5 bytes JMP 0000000106fb0c6c .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!WSASend 0000000076f04406 5 bytes JMP 0000000106fb0a24 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!recv 0000000076f06b0e 5 bytes JMP 0000000106fb0228 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!connect 0000000076f06bdd 5 bytes JMP 0000000106fb0104 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!send 0000000076f06f01 5 bytes JMP 0000000106fb0470 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!WSARecv 0000000076f07089 5 bytes JMP 0000000106fb07dc .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!recvfrom 0000000076f0b6dc 5 bytes JMP 0000000106fb034c .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!WSARecvFrom 0000000076f0cba6 5 bytes JMP 0000000106fb0900 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!WSAConnect 0000000076f0cc3f 5 bytes JMP 0000000106fb06b8 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\ws2_32.dll!WSASendTo 0000000076f1b30c 5 bytes JMP 0000000106fb0b48 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075251465 2 bytes [25, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[2364] C:\windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000752514bb 2 bytes [25, 75] .text ... * 2 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!sendto 0000000076f034b5 5 bytes JMP 0000000102bc0594 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!closesocket 0000000076f03918 5 bytes JMP 0000000102bc0c6c .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!WSASend 0000000076f04406 5 bytes JMP 0000000102bc0a24 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!recv 0000000076f06b0e 5 bytes JMP 0000000102bc0228 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!connect 0000000076f06bdd 5 bytes JMP 0000000102bc0104 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!send 0000000076f06f01 5 bytes JMP 0000000102bc0470 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000076f07089 5 bytes JMP 0000000102bc07dc .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!recvfrom 0000000076f0b6dc 5 bytes JMP 0000000102bc034c .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!WSARecvFrom 0000000076f0cba6 5 bytes JMP 0000000102bc0900 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!WSAConnect 0000000076f0cc3f 5 bytes JMP 0000000102bc06b8 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\WS2_32.dll!WSASendTo 0000000076f1b30c 5 bytes JMP 0000000102bc0b48 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075251465 2 bytes [25, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[1364] C:\windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000752514bb 2 bytes [25, 75] .text ... * 2 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!sendto 0000000076f034b5 5 bytes JMP 0000000100b40594 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!closesocket 0000000076f03918 5 bytes JMP 0000000100b40c6c .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!WSASend 0000000076f04406 5 bytes JMP 0000000100b40a24 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!recv 0000000076f06b0e 5 bytes JMP 0000000100b40228 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!connect 0000000076f06bdd 5 bytes JMP 0000000100b40104 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!send 0000000076f06f01 5 bytes JMP 0000000100b40470 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000076f07089 5 bytes JMP 0000000100b407dc .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!recvfrom 0000000076f0b6dc 5 bytes JMP 0000000100b4034c .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!WSARecvFrom 0000000076f0cba6 5 bytes JMP 0000000100b40900 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!WSAConnect 0000000076f0cc3f 5 bytes JMP 0000000100b406b8 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3088] C:\windows\syswow64\WS2_32.dll!WSASendTo 0000000076f1b30c 5 bytes JMP 0000000100b40b48 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!WSASend 000007feff4213b0 5 bytes JMP 000007feff470ac0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!closesocket 000007feff4218e0 5 bytes JMP 000007feff470d30 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!WSARecv 000007feff422200 5 bytes JMP 000007feff470850 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!connect 000007feff4245c0 5 bytes JMP 000007feff470100 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!send 000007feff428000 5 bytes JMP 000007feff4704a8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!sendto 000007feff42d7f0 5 bytes JMP 000007feff4705e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!recv 000007feff42df40 5 bytes JMP 000007feff470238 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!recvfrom 000007feff42eb90 5 bytes JMP 000007feff470370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!WSASendTo 000007feff42ed50 5 bytes JMP 000007feff470bf8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!WSAConnect 000007feff44e0f0 5 bytes JMP 000007feff470718 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3264] C:\windows\system32\WS2_32.dll!WSARecvFrom 000007feff44e6c0 5 bytes JMP 000007feff470988 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!sendto 0000000076f034b5 5 bytes JMP 0000000100e10594 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!closesocket 0000000076f03918 5 bytes JMP 0000000100e10c6c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!WSASend 0000000076f04406 5 bytes JMP 0000000100e10a24 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!recv 0000000076f06b0e 5 bytes JMP 0000000100e10228 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!connect 0000000076f06bdd 5 bytes JMP 0000000100e10104 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!send 0000000076f06f01 5 bytes JMP 0000000100e10470 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000076f07089 5 bytes JMP 0000000100e107dc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!recvfrom 0000000076f0b6dc 5 bytes JMP 0000000100e1034c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!WSARecvFrom 0000000076f0cba6 5 bytes JMP 0000000100e10900 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!WSAConnect 0000000076f0cc3f 5 bytes JMP 0000000100e106b8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1224] C:\windows\syswow64\WS2_32.dll!WSASendTo 0000000076f1b30c 5 bytes JMP 0000000100e10b48 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!WSASend 000007feff4213b0 5 bytes JMP 000007feff470ac0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!closesocket 000007feff4218e0 5 bytes JMP 000007feff470d30 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!WSARecv 000007feff422200 5 bytes JMP 000007feff470850 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!connect 000007feff4245c0 5 bytes JMP 000007feff470100 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!send 000007feff428000 5 bytes JMP 000007feff4704a8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!sendto 000007feff42d7f0 5 bytes JMP 000007feff4705e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!recv 000007feff42df40 5 bytes JMP 000007feff470238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!recvfrom 000007feff42eb90 5 bytes JMP 000007feff470370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!WSASendTo 000007feff42ed50 5 bytes JMP 000007feff470bf8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!WSAConnect 000007feff44e0f0 5 bytes JMP 000007feff470718 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[808] C:\windows\system32\WS2_32.dll!WSARecvFrom 000007feff44e6c0 5 bytes JMP 000007feff470988 ---- Threads - GMER 2.1 ---- Thread C:\windows\System32\svchost.exe [1296:3864] 000007fefd0920b0 Thread C:\windows\System32\svchost.exe [1296:4508] 000007fef7b65fd0 Thread C:\windows\system32\WLANExt.exe [1412:1356] 00000001800ee130 Thread C:\windows\system32\WLANExt.exe [1412:1100] 0000000180090110 Thread C:\windows\system32\WLANExt.exe [1412:1244] 00000001800ee130 Thread C:\windows\system32\WLANExt.exe [1412:2744] 000007fef9532f9c Thread C:\windows\system32\WLANExt.exe [1412:2784] 00000000009a8bc8 Thread C:\windows\system32\WLANExt.exe [1412:2760] 00000000009a8be4 Thread C:\windows\system32\WLANExt.exe [1412:2788] 00000000009a8bac Thread C:\windows\system32\WLANExt.exe [1412:2800] 000007fef9532f9c Thread C:\windows\System32\spoolsv.exe [1368:2956] 000007fef7db10c8 Thread C:\windows\System32\spoolsv.exe [1368:3020] 000007fef7d76144 Thread C:\windows\System32\spoolsv.exe [1368:3036] 000007fef7b65fd0 Thread C:\windows\System32\spoolsv.exe [1368:3048] 000007fef7b53438 Thread C:\windows\System32\spoolsv.exe [1368:3044] 000007fef7b663ec Thread C:\windows\System32\spoolsv.exe [1368:2484] 000007fef8635e5c Thread C:\windows\System32\spoolsv.exe [1368:2536] 000007fef93d5074 Thread [2080:2968] 0000000076bd7587 Thread [2080:2872] 0000000077393e85 Thread [2080:1396] 000000002c0043a0 Thread [2080:2524] 0000000077392e65 Thread [2080:2864] 0000000077393e85 Thread [2080:2496] 0000000077393e85 Thread [2080:3580] 0000000077393e85 Thread C:\windows\system32\svchost.exe [3976:4056] 000007fef9532f9c Thread C:\windows\System32\svchost.exe [2312:4720] 000007fef0fb9688 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [2772] (GG drive overlay/GG Network S.A.)(2013-12-23 08:46:44) 000000005c080000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819ec68f2 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819ec68f2 (not active ControlSet) ---- EOF - GMER 2.1 ----