GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-30 17:45:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-5 SAMSUNG_HD250HJ rev.FH100-06 232,89GB Running: 4ipyhfkz.exe; Driver: C:\Users\MM\AppData\Local\Temp\uglciaoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033f1000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800033f102f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Windows\system32\services.exe[704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Windows\System32\svchost.exe[772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1036] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Windows\Explorer.EXE[1600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1636] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1636] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000708a11a8 2 bytes [8A, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1636] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000708a13a8 2 bytes [8A, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1636] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 00000000708a1422 2 bytes [8A, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1636] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 00000000708a1498 2 bytes [8A, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1636] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 00000000706b1b41 2 bytes [6B, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1636] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 00000000706b1be8 2 bytes [6B, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1636] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 00000000706b1c20 2 bytes [6B, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1636] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 00000000706b1cd2 2 bytes [6B, 70] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1636] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 00000000706b1cf2 2 bytes [6B, 70] .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe[2216] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[2280] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075328791 5 bytes JMP 000000016fc31170 .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[2280] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[2280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Program Files (x86)\CyberLink\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe[2280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe[2316] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2396] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2428] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2472] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2472] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074bc1a22 2 bytes [BC, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2472] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074bc1ad0 2 bytes [BC, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2472] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074bc1b08 2 bytes [BC, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2472] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074bc1bba 2 bytes [BC, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2472] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074bc1bda 2 bytes [BC, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2496] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[2584] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[2584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2648] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Windows\System32\rundll32.exe[3532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3720] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\AlarmClock.exe[700] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[856] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[256] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5344] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5232] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5232] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[5232] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Windows\system32\conhost.exe[4144] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f5ef8d 1 byte [62] .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\kernel32.dll!CreateFileW 0000000075323f1c 5 bytes JMP 000000015ada3730 .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076e18e4e 5 bytes JMP 000000015ada2ee0 .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076e20dfb 5 bytes JMP 000000015ada2e70 .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\USER32.dll!SetFocus 0000000076e22175 5 bytes JMP 000000015ada2ec0 .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\USER32.dll!SetActiveWindow 0000000076e23208 5 bytes JMP 000000015ada2f30 .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000076e27b3b 5 bytes JMP 000000015ada2dd0 .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 0000000076e3f170 5 bytes JMP 000000015ada2da0 .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow 0000000076e590fc 1 byte JMP 000000015ada2e00 .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow + 2 0000000076e590fe 3 bytes {JMP 0xffffffffe3f49d04} .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\USER32.dll!ShowWindowAsync 0000000076e77d97 5 bytes JMP 000000015ada2e20 .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\ole32.dll!DoDragDrop 000000007510a827 5 bytes JMP 000000015ada2d80 .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Program Files (x86)\Origin\Origin.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\MM\Desktop\4ipyhfkz.exe[4536] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007534a2fd 1 byte [62] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares@Z\1W\0I\0\30\1T\0A CSCFlags=2048?MaxUses=4294967295?Path=D:\ALBUM FOTO\?WI?TA?Permissions=0?Remark=?ShareName=?WI?TA?Type=0? Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Shares@Z\1W\0I\0\30\1T\0A CSCFlags=2048?MaxUses=4294967295?Path=D:\ALBUM FOTO\?WI?TA?Permissions=0?Remark=?ShareName=?WI?TA?Type=0? ---- EOF - GMER 2.1 ----