GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-12 19:11:33 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f Hitachi_HTS727550A9E364 rev.JF3OA130 465,76GB Running: cf1odvv2.exe; Driver: C:\Users\Ewa\AppData\Local\Temp\ugldapod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000114200 15 bytes [00, 28, F6, 01, 80, 1C, 6C, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000114210 11 bytes [00, 0E, FC, FF, 00, 05, C4, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffbef8a28c0 7 bytes JMP 00007ffceef402d0 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffbef8a43d8 7 bytes JMP 00007ffceef40308 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffbef951f20 7 bytes JMP 00007ffceef40378 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffbef9540b4 7 bytes JMP 00007ffceef403b0 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffbef954510 7 bytes JMP 00007ffceef40340 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffbef954af0 7 bytes JMP 00007ffceef40260 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffbef97cea0 7 bytes JMP 00007ffceef40228 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffbef97cf10 7 bytes JMP 00007ffceef40298 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffbeef5299c 7 bytes JMP 00007ffceef400d8 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffbeef554c8 5 bytes JMP 00007ffceef40180 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffbeef555b0 5 bytes JMP 00007ffceef40148 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffbeef55e58 5 bytes JMP 00007ffceef40110 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffbef557834 10 bytes JMP 00007ffceef40490 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffbef55b4d0 5 bytes JMP 00007ffceef40420 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffbef55c6d8 5 bytes JMP 00007ffceef40458 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffbef55e39c 9 bytes JMP 00007ffceef403e8 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffbef351500 8 bytes JMP 00007ffceef401b8 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffbef351750 8 bytes JMP 00007ffceef401f0 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffbec607a88 5 bytes JMP 00007ffcec5f0110 .text C:\WINDOWS\system32\dwm.exe[936] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffbec614990 5 bytes JMP 00007ffcec5f00d8 .text C:\WINDOWS\system32\nvvsvc.exe[316] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[316] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[316] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[316] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1508] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1508] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1508] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1508] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\AuthenTec TrueSuite\TouchControl.exe[1820] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\AuthenTec TrueSuite\TouchControl.exe[1820] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\AuthenTec TrueSuite\TouchControl.exe[1820] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\AuthenTec TrueSuite\TouchControl.exe[1820] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2528] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2528] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2528] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2528] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2528] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffbe1531f6a 4 bytes [53, E1, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2528] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffbe1531f82 4 bytes [53, E1, FB, 7F] .text C:\Windows\System32\svchost.exe[2976] c:\windows\system32\WSOCK32.dll!setsockopt + 194 00007ffbe1531f6a 4 bytes [53, E1, FB, 7F] .text C:\Windows\System32\svchost.exe[2976] c:\windows\system32\WSOCK32.dll!setsockopt + 218 00007ffbe1531f82 4 bytes [53, E1, FB, 7F] .text C:\Windows\System32\svchost.exe[2820] c:\windows\system32\WSOCK32.dll!setsockopt + 194 00007ffbe1531f6a 4 bytes [53, E1, FB, 7F] .text C:\Windows\System32\svchost.exe[2820] c:\windows\system32\WSOCK32.dll!setsockopt + 218 00007ffbe1531f82 4 bytes [53, E1, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1368] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[3280] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[3280] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[3280] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[3280] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3776] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3776] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3776] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3776] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4448] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4448] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4448] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4448] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\Windows\System32\igfxpers.exe[5840] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\Windows\System32\igfxpers.exe[5840] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\Windows\System32\igfxpers.exe[5840] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\Windows\System32\igfxpers.exe[5840] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Sony\VAIO Care\ESRV\esrv.exe[6620] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Sony\VAIO Care\ESRV\esrv.exe[6620] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Sony\VAIO Care\ESRV\esrv.exe[6620] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Sony\VAIO Care\ESRV\esrv.exe[6620] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6844] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbefbc169a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6844] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbefbc16a2 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6844] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbefbc181a 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6844] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbefbc1832 4 bytes [BC, EF, FB, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4288] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffbe1531f6a 4 bytes [53, E1, FB, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4288] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffbe1531f82 4 bytes [53, E1, FB, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [632:1784] fffff96000838b90 Thread C:\Windows\System32\skydrive.exe [5064:4240] 00007ffbe2c86820 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----