GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-19 08:35:25 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.D005DEM1 465,76GB Running: 0xl4x0e9.exe; Driver: C:\Users\Pablo\AppData\Local\Temp\ugloapod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000e4200 7 bytes [40, A3, F3, FF, 01, B5, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e4208 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000755187c9 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077441465 2 bytes [44, 77] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1908] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000774414bb 2 bytes [44, 77] .text ... * 2 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075511f4e 7 bytes JMP 0000000170f34b10 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075515be5 7 bytes JMP 0000000170f354b0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075521441 7 bytes JMP 0000000170f34e50 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007552ea75 7 bytes JMP 0000000170f34b00 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000755b88ec 7 bytes JMP 0000000170f345c0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000755b8971 5 bytes JMP 0000000170f34670 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000755b8cc7 5 bytes JMP 0000000170f345d0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000756d1094 5 bytes JMP 0000000170f34580 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000756d1142 5 bytes JMP 0000000170f34540 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000756d1bb2 5 bytes JMP 0000000170f34680 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000756d1d92 5 bytes JMP 0000000170f34360 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000766ee96b 5 bytes JMP 0000000170f33b60 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000766eeba5 5 bytes JMP 0000000170f33b80 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075828a29 5 bytes JMP 0000000170f33a40 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075834572 5 bytes JMP 0000000170f342e0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007584e567 5 bytes JMP 0000000170f34350 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000758707d7 5 bytes JMP 0000000170f33850 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075887a5c 5 bytes JMP 0000000170f342d0 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076775ea5 5 bytes JMP 0000000170f33a00 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[2856] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000767a9d0b 5 bytes JMP 0000000170f33990 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075511f4e 7 bytes JMP 0000000170f34b10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075515be5 7 bytes JMP 0000000170f354b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075521441 7 bytes JMP 0000000170f34e50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007552ea75 7 bytes JMP 0000000170f34b00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000755b88ec 7 bytes JMP 0000000170f345c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000755b8971 5 bytes JMP 0000000170f34670 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000755b8cc7 5 bytes JMP 0000000170f345d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000756d1094 5 bytes JMP 0000000170f34580 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000756d1142 5 bytes JMP 0000000170f34540 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000756d1bb2 5 bytes JMP 0000000170f34680 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000756d1d92 5 bytes JMP 0000000170f34360 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075828a29 5 bytes JMP 0000000170f33a40 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075834572 5 bytes JMP 0000000170f342e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007584e567 5 bytes JMP 0000000170f34350 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000758707d7 5 bytes JMP 0000000170f33850 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075887a5c 5 bytes JMP 0000000170f342d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000766ee96b 5 bytes JMP 0000000170f33b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000766eeba5 5 bytes JMP 0000000170f33b80 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076775ea5 5 bytes JMP 0000000170f33a00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3892] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000767a9d0b 5 bytes JMP 0000000170f33990 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075511f4e 7 bytes JMP 0000000170f34b10 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075515be5 7 bytes JMP 0000000170f354b0 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075521441 7 bytes JMP 0000000170f34e50 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007552ea75 7 bytes JMP 0000000170f34b00 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000755b88ec 7 bytes JMP 0000000170f345c0 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000755b8971 5 bytes JMP 0000000170f34670 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000755b8cc7 5 bytes JMP 0000000170f345d0 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000756d1094 5 bytes JMP 0000000170f34580 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000756d1142 5 bytes JMP 0000000170f34540 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000756d1bb2 5 bytes JMP 0000000170f34680 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000756d1d92 5 bytes JMP 0000000170f34360 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\user32.DLL!CreateWindowExW 0000000075828a29 5 bytes JMP 0000000170f33a40 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesA 0000000075834572 5 bytes JMP 0000000170f342e0 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\user32.DLL!EnumDisplayDevicesW 000000007584e567 5 bytes JMP 0000000170f34350 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\user32.DLL!ChangeDisplaySettingsExW 00000000758707d7 5 bytes JMP 0000000170f33850 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\user32.DLL!DisplayConfigGetDeviceInfo 0000000075887a5c 5 bytes JMP 0000000170f342d0 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000766ee96b 5 bytes JMP 0000000170f33b60 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000766eeba5 5 bytes JMP 0000000170f33b80 .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000077441465 2 bytes [44, 77] .text C:\Users\Pablo\Desktop\OTL.exe[1560] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000774414bb 2 bytes [44, 77] .text ... * 2 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075511f4e 7 bytes JMP 0000000170f34b10 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075515be5 7 bytes JMP 0000000170f354b0 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075521441 7 bytes JMP 0000000170f34e50 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007552ea75 7 bytes JMP 0000000170f34b00 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000755b88ec 7 bytes JMP 0000000170f345c0 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000755b8971 5 bytes JMP 0000000170f34670 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000755b8cc7 5 bytes JMP 0000000170f345d0 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 00000000756d1094 5 bytes JMP 0000000170f34580 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 00000000756d1142 5 bytes JMP 0000000170f34540 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000756d1bb2 5 bytes JMP 0000000170f34680 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000756d1d92 5 bytes JMP 0000000170f34360 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000766ee96b 5 bytes JMP 0000000170f33b60 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000766eeba5 5 bytes JMP 0000000170f33b80 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075828a29 5 bytes JMP 0000000170f33a40 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075834572 5 bytes JMP 0000000170f342e0 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007584e567 5 bytes JMP 0000000170f34350 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 00000000758707d7 5 bytes JMP 0000000170f33850 .text C:\Users\Pablo\Desktop\0xl4x0e9.exe[5232] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075887a5c 5 bytes JMP 0000000170f342d0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3972:1640] 0000000075437587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3972:4108] 0000000071690cb3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3972:5104] 00000000774b41f3 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3972:1292] 00000000774b6679 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3972:6928] 00000000774b6679 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3972:2708] 00000000774b6679 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4c809333e284 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4c809333e284 (not active ControlSet) ---- EOF - GMER 2.1 ----