GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-21 21:31:32 Windows 6.0.6000 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HDP725032GLA360 rev.GM3OA52A 298,09GB Running: 3zgzipz5.exe; Driver: C:\Users\JAROSA~1\AppData\Local\Temp\ugrcypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskeng.exe[252] ntdll.dll!NtQueryInformationProcess 77ADFE94 5 Bytes JMP 02574CE0 .text C:\Windows\system32\taskeng.exe[252] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 02576698 .text C:\Windows\system32\taskeng.exe[252] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 02576818 .text C:\Windows\system32\taskeng.exe[252] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 02576758 .text C:\Windows\system32\taskeng.exe[252] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 02576408 .text C:\Windows\system32\taskeng.exe[252] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 02576588 .text C:\Windows\system32\taskeng.exe[252] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 025764C8 .text C:\Windows\system32\wuauclt.exe[420] ntdll.dll!NtQueryInformationProcess 77ADFE94 5 Bytes JMP 01834CE0 .text C:\Windows\system32\wuauclt.exe[420] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 018366B8 .text C:\Windows\system32\wuauclt.exe[420] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 01836838 .text C:\Windows\system32\wuauclt.exe[420] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 01836778 .text C:\Windows\system32\wuauclt.exe[420] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 01836428 .text C:\Windows\system32\wuauclt.exe[420] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 018365A8 .text C:\Windows\system32\wuauclt.exe[420] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 018364E8 .text C:\Windows\Explorer.EXE[1016] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 066269A0 .text C:\Windows\Explorer.EXE[1016] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 06626AB0 .text C:\Windows\Explorer.EXE[1016] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 06626A28 .text C:\Windows\Explorer.EXE[1016] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 06626348 .text C:\Windows\Explorer.EXE[1016] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 06626508 .text C:\Windows\Explorer.EXE[1016] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 06626408 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 019303F0 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 01930570 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 019304B0 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 01930160 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 019302E0 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1588] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 01930220 .text C:\Windows\system32\Dwm.exe[1848] ntdll.dll!NtQueryInformationProcess 77ADFE94 5 Bytes JMP 07364CE0 .text C:\Windows\system32\Dwm.exe[1848] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 07366698 .text C:\Windows\system32\Dwm.exe[1848] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 07366818 .text C:\Windows\system32\Dwm.exe[1848] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 07366758 .text C:\Windows\system32\Dwm.exe[1848] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 07366408 .text C:\Windows\system32\Dwm.exe[1848] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 07366588 .text C:\Windows\system32\Dwm.exe[1848] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 073664C8 .text C:\Windows\WindowsMobile\wmdSync.exe[2440] ntdll.dll!NtQueryInformationProcess 77ADFE94 5 Bytes JMP 01784CE0 .text C:\Windows\WindowsMobile\wmdSync.exe[2440] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 01786698 .text C:\Windows\WindowsMobile\wmdSync.exe[2440] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 01786818 .text C:\Windows\WindowsMobile\wmdSync.exe[2440] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 01786758 .text C:\Windows\WindowsMobile\wmdSync.exe[2440] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 01786408 .text C:\Windows\WindowsMobile\wmdSync.exe[2440] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 01786588 .text C:\Windows\WindowsMobile\wmdSync.exe[2440] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 017864C8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2596] ntdll.dll!NtQueryInformationProcess 77ADFE94 5 Bytes JMP 027C4CE0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2596] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 027C6698 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2596] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 027C6818 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2596] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 027C6758 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2596] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 027C6408 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2596] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 027C6588 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2596] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 027C64C8 .text C:\Users\Jarosław\AppData\Local\Google\Update\GoogleUpdate.exe[3372] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 01E765D8 .text C:\Users\Jarosław\AppData\Local\Google\Update\GoogleUpdate.exe[3372] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 01E76758 .text C:\Users\Jarosław\AppData\Local\Google\Update\GoogleUpdate.exe[3372] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 01E76698 .text C:\Users\Jarosław\AppData\Local\Google\Update\GoogleUpdate.exe[3372] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 01E76348 .text C:\Users\Jarosław\AppData\Local\Google\Update\GoogleUpdate.exe[3372] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 01E764C8 .text C:\Users\Jarosław\AppData\Local\Google\Update\GoogleUpdate.exe[3372] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 01E76408 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3520] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 017D65D8 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3520] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 017D6758 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3520] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 017D6698 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3520] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 017D6348 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3520] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 017D64C8 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3520] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 017D6408 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3532] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 021765E0 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3532] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 02176760 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3532] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 021766A0 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3532] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 02176350 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3532] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 021764D0 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3532] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 02176410 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3540] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 024A65D8 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3540] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 024A6758 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3540] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 024A6698 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3540] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 024A6348 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3540] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 024A64C8 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3540] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 024A6408 .text C:\Windows\system32\svchost.exe[3584] ntdll.dll!NtQueryInformationProcess 77ADFE94 5 Bytes JMP 015E4CE0 .text C:\Windows\system32\svchost.exe[3584] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 017F6698 .text C:\Windows\system32\svchost.exe[3584] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 017F6818 .text C:\Windows\system32\svchost.exe[3584] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 017F6758 .text C:\Windows\system32\svchost.exe[3584] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 017F6408 .text C:\Windows\system32\svchost.exe[3584] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 017F6588 .text C:\Windows\system32\svchost.exe[3584] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 017F64C8 .text C:\Windows\system32\svchost.exe[3592] ntdll.dll!NtQueryInformationProcess 77ADFE94 5 Bytes JMP 01784CE0 .text C:\Windows\system32\svchost.exe[3600] ntdll.dll!NtQueryInformationProcess 77ADFE94 5 Bytes JMP 01444CE0 .text C:\Windows\system32\svchost.exe[3600] ntdll.dll!NtQuerySystemInformation 77ADFFD4 5 Bytes JMP 01586698 .text C:\Windows\system32\svchost.exe[3600] ntdll.dll!NtResumeThread 77AE01E4 5 Bytes JMP 01586818 .text C:\Windows\system32\svchost.exe[3600] USER32.dll!SetThreadDesktop 76AF1779 5 Bytes JMP 01586758 .text C:\Windows\system32\svchost.exe[3600] USER32.dll!DispatchMessageA 76AF3C7B 5 Bytes JMP 01586408 .text C:\Windows\system32\svchost.exe[3600] USER32.dll!WaitMessage 76AFB5B0 5 Bytes JMP 01586588 .text C:\Windows\system32\svchost.exe[3600] USER32.dll!DispatchMessageW 76B02A89 5 Bytes JMP 015864C8 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A0FBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [749DB9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [749CA31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [749CCBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [749C8AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [749DCF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [749C7D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [749C7CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [749C6A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74A5C1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [749E7F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [749C90CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [749D2179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [749D21A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [749D7F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [749D7D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[1016] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74A083D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 83E60940 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015834ca610 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015834ca610@3017c819ad92 0x95 0x13 0x05 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015834ca610@3017c8988319 0x7E 0xF0 0xAA 0xF3 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015834ca610 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015834ca610@3017c819ad92 0x95 0x13 0x05 0xBF ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015834ca610@3017c8988319 0x7E 0xF0 0xAA 0xF3 ... ---- EOF - GMER 2.1 ----