GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-15 20:08:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.JE4Z 698,64GB Running: vizefheb.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\uglyypog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000114400 7 bytes [00, 99, F3, FF, 41, AC, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000114408 3 bytes [00, 07, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd438ef0 5 bytes JMP 000007fffd4200b8 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd43bfd0 5 bytes JMP 000007fffd420038 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2180] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000774b6440 5 bytes JMP 0000000169ff0038 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd438ef0 5 bytes JMP 000007fffd4200b8 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2180] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd43bfd0 5 bytes JMP 000007fffd420038 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2180] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb87490 5 bytes JMP 000007fffd420138 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2528] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000774b6440 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd438ef0 5 bytes JMP 000007fffd4200b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd43bfd0 5 bytes JMP 000007fffd420038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2528] C:\Windows\system32\WINMM.dll!waveOutReset 000007fefaf3a38c 5 bytes JMP 000007fefd4202b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2528] C:\Windows\system32\WINMM.dll!waveOutPause 000007fefaf54b60 5 bytes JMP 000007fefd420238 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2528] C:\Windows\system32\WINMM.dll!waveOutRestart 000007fefaf54ba0 5 bytes JMP 000007fefd4201b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[2528] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb87490 5 bytes JMP 000007fffd420138 .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 00000000757048db 5 bytes JMP 00000001100027c0 .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000757048f3 5 bytes JMP 00000001100028a0 .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075704925 5 bytes JMP 0000000110002830 .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075549d0b 5 bytes JMP 0000000110002900 .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076dd1401 2 bytes JMP 7572b21b C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076dd1419 2 bytes JMP 7572b346 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076dd1431 2 bytes JMP 757a8ea9 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076dd144a 2 bytes CALL 757048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076dd14dd 2 bytes JMP 757a87a2 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076dd14f5 2 bytes JMP 757a8978 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076dd150d 2 bytes JMP 757a8698 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076dd1525 2 bytes JMP 757a8a62 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076dd153d 2 bytes JMP 7571fca8 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076dd1555 2 bytes JMP 757268ef C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076dd156d 2 bytes JMP 757a8f61 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076dd1585 2 bytes JMP 757a8ac2 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076dd159d 2 bytes JMP 757a865c C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076dd15b5 2 bytes JMP 7571fd41 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076dd15cd 2 bytes JMP 7572b2dc C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076dd16b2 2 bytes JMP 757a8e24 C:\Windows\syswow64\kernel32.dll .text G:\Office14\MSOSYNC.EXE[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076dd16bd 2 bytes JMP 757a85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075708791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076dd1401 2 bytes JMP 7572b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076dd1419 2 bytes JMP 7572b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076dd1431 2 bytes JMP 757a8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076dd144a 2 bytes CALL 757048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076dd14dd 2 bytes JMP 757a87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076dd14f5 2 bytes JMP 757a8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076dd150d 2 bytes JMP 757a8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076dd1525 2 bytes JMP 757a8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076dd153d 2 bytes JMP 7571fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076dd1555 2 bytes JMP 757268ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076dd156d 2 bytes JMP 757a8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076dd1585 2 bytes JMP 757a8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076dd159d 2 bytes JMP 757a865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076dd15b5 2 bytes JMP 7571fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076dd15cd 2 bytes JMP 7572b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076dd16b2 2 bytes JMP 757a8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[3008] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076dd16bd 2 bytes JMP 757a85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3304] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 00000000757048db 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3304] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 00000000757048f3 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3304] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075704925 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3304] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075549d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3312] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryExA 00000000757048db 5 bytes JMP 00000001100027c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3312] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryW 00000000757048f3 5 bytes JMP 00000001100028a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3312] C:\Windows\syswow64\KERNEL32.dll!LoadLibraryExW 0000000075704925 5 bytes JMP 0000000110002830 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3312] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075549d0b 5 bytes JMP 0000000110002900 .text C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[3348] C:\Windows\system32\KERNEL32.dll!LoadLibraryW 00000000774b6440 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[3348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd438ef0 5 bytes JMP 000007fffd4200b8 .text C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[3348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd43bfd0 5 bytes JMP 000007fffd420038 .text C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe[3348] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb87490 5 bytes JMP 000007fffd420138 .text C:\Windows\system32\igfxEM.exe[3816] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000774b6440 5 bytes JMP 0000000169ff0038 .text C:\Windows\system32\igfxEM.exe[3816] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd438ef0 5 bytes JMP 000007fffd4200b8 .text C:\Windows\system32\igfxEM.exe[3816] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd43bfd0 5 bytes JMP 000007fffd420038 .text C:\Windows\system32\igfxEM.exe[3816] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb87490 5 bytes JMP 000007fffd420138 .text C:\Windows\system32\igfxEM.exe[3816] C:\Windows\system32\DDRAW.dll!DirectDrawCreate 000007fef37a815c 5 bytes JMP 000007fefd4201b8 .text C:\Windows\system32\igfxEM.exe[3816] C:\Windows\system32\DDRAW.dll!DirectDrawCreateEx 000007fef37a8968 5 bytes JMP 000007fefd420238 .text C:\Windows\system32\igfxHK.exe[2904] C:\Windows\system32\kernel32.dll!LoadLibraryW 00000000774b6440 5 bytes JMP 0000000169ff0038 .text C:\Windows\system32\igfxHK.exe[2904] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd438ef0 5 bytes JMP 000007fffd4200b8 .text C:\Windows\system32\igfxHK.exe[2904] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd43bfd0 5 bytes JMP 000007fffd420038 .text C:\Windows\system32\igfxHK.exe[2904] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb87490 5 bytes JMP 000007fffd420138 .text C:\Windows\system32\igfxHK.exe[2904] C:\Windows\system32\DDRAW.dll!DirectDrawCreate 000007fef37a815c 5 bytes JMP 000007fefd4201b8 .text C:\Windows\system32\igfxHK.exe[2904] C:\Windows\system32\DDRAW.dll!DirectDrawCreateEx 000007fef37a8968 5 bytes JMP 000007fefd420238 .text C:\Windows\system32\igfxTray.exe[1604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd438ef0 5 bytes JMP 000007fffd4200b8 .text C:\Windows\system32\igfxTray.exe[1604] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefd43bfd0 5 bytes JMP 000007fffd420038 .text C:\Windows\system32\igfxTray.exe[1604] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdb87490 5 bytes JMP 000007fffd420138 .text C:\Windows\system32\igfxTray.exe[1604] C:\Windows\system32\DDRAW.dll!DirectDrawCreate 000007fef37a815c 5 bytes JMP 000007fefd4201b8 .text C:\Windows\system32\igfxTray.exe[1604] C:\Windows\system32\DDRAW.dll!DirectDrawCreateEx 000007fef37a8968 5 bytes JMP 000007fefd420238 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4212:4172] 00000000777f3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4212:4232] 00000000777f3e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4212:4124] 0000000076c07587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4212:4272] 000000007431758a Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4212:4128] 00000000777f2e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4212:3952] 00000000777f3e85 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\08edb9d7e787 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\08edb9d7e787@a826d9ae7d0d 0x5B 0x3C 0x5E 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\08edb9d7e787@b0ec7178a82a 0xAF 0xFE 0xE5 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\08edb9d7e787@c4850812008d 0xE2 0x94 0x9A 0x4C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\08edb9d7e787 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\08edb9d7e787@a826d9ae7d0d 0x5B 0x3C 0x5E 0xBE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\08edb9d7e787@b0ec7178a82a 0xAF 0xFE 0xE5 0xA0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\08edb9d7e787@c4850812008d 0xE2 0x94 0x9A 0x4C ... ---- EOF - GMER 2.1 ----