GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-09 03:04:51 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-6 Hitachi_HDT721032SLA360 rev.ST2OA3AA 297,96GB Running: vgbghkoi.exe; Driver: C:\Users\Bartosz\AppData\Local\Temp\ugldakob.sys ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1409 830849A5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 830A4512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskhost.exe[1848] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Windows\system32\taskhost.exe[1848] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[1960] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[1960] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll UPX1 C:\Users\Bartosz\AppData\Roaming\pwo6\svchost.exe[2520] C:\Users\Bartosz\AppData\Roaming\pwo6\svchost.exe entry point in "UPX1" section [0x0043E4F0] .text C:\Users\Bartosz\AppData\Roaming\pwo6\svchost.exe[2520] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 0123A4D0 C:\Windows\system\HsSrv.dll .text C:\Users\Bartosz\AppData\Roaming\pwo6\svchost.exe[2520] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 0123A630 C:\Windows\system\HsSrv.dll .text C:\Program Files\Maxthon\Bin\Maxthon.exe[2956] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Program Files\Maxthon\Bin\Maxthon.exe[2956] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2980] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll .text C:\Windows\system\HsMgr.exe[3156] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Windows\system\HsMgr.exe[3156] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[3232] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[3232] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll UPX1 C:\Users\Bartosz\AppData\Local\Temp\_MEI33482\bin\winlogon.exe[3324] C:\Users\Bartosz\AppData\Local\Temp\_MEI33482\bin\winlogon.exe entry point in "UPX1" section [0x005EEE10] UPX2 C:\Users\Bartosz\AppData\Local\Temp\_MEI33482\bin\winlogon.exe[3324] C:\Users\Bartosz\AppData\Local\Temp\_MEI33482\bin\winlogon.exe unknown last section [0x005F0000, 0x1000, 0xC0000040] .text C:\Users\Bartosz\AppData\Local\Temp\_MEI33482\bin\winlogon.exe[3324] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Users\Bartosz\AppData\Local\Temp\_MEI33482\bin\winlogon.exe[3324] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll .text C:\Program Files\Maxthon\Bin\Maxthon.exe[3368] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Program Files\Maxthon\Bin\Maxthon.exe[3368] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll .text C:\Program Files\Maxthon\Bin\Maxthon.exe[3680] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Program Files\Maxthon\Bin\Maxthon.exe[3680] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll .text C:\Users\Bartosz\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3800] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Users\Bartosz\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[3800] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll .text C:\Program Files\Maxthon\Bin\Maxthon.exe[3880] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Program Files\Maxthon\Bin\Maxthon.exe[3880] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll .tls C:\Users\Bartosz\AppData\Local\Temp\_MEI33482\bin\explorer.exe[4572] C:\Users\Bartosz\AppData\Local\Temp\_MEI33482\bin\explorer.exe unknown last section [0x00408000, 0x20, 0xC0300040] .text C:\Program Files\Maxthon\Bin\Maxthon.exe[5952] ole32.dll!CoCreateInstance 75AB9D0B 5 Bytes JMP 1000A4D0 C:\Windows\system\HsSrv.dll .text C:\Program Files\Maxthon\Bin\Maxthon.exe[5952] ole32.dll!CoCreateInstanceEx 75AB9D4E 5 Bytes JMP 1000A630 C:\Windows\system\HsSrv.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\00-24-c4-27-8e-d9@TeredoAddress 2001:0:5ef5:79fd:1076:3914:e049:b267 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 21330 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{F62B7D00-9A6C-11E3-A684-806E6F6E6963} 824466704 ---- Files - GMER 2.1 ---- File C:\Users\Bartosz\AppData\Local\Temp\Maxthon3Cache\Temp\Webkit\Cache\f_004e8c 33186 bytes File C:\Users\Bartosz\AppData\Local\Temp\Maxthon3Cache\Temp\Webkit\Cache\f_004e8d 19674 bytes File C:\Users\Bartosz\AppData\Local\Temp\Maxthon3Cache\Temp\Webkit\Cache\f_004e8e 33907 bytes File C:\Users\Bartosz\AppData\Local\Temp\Maxthon3Cache\Temp\Webkit\Cache\f_004e8f 48132 bytes File C:\Users\Bartosz\AppData\Local\Temp\Maxthon3Cache\Temp\Webkit\Cache\f_004e90 32380 bytes File C:\Users\Bartosz\AppData\Local\Temp\Maxthon3Cache\Temp\Webkit\Cache\f_004e91 36187 bytes ---- EOF - GMER 2.1 ----