GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-19 11:00:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 PLEXTOR_PX-128M5S rev.1.05 119,24GB Running: gmer.exe; Driver: C:\Users\Lukasz\AppData\Local\Temp\ugrdapoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\SysWOW64\vmnat.exe[1716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 4 00000000744a13b0 2 bytes JMP 759e5628 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[1716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 20 00000000744a13c0 2 bytes CALL 75059cee C:\Windows\syswow64\msvcrt.dll .text ... * 20 .text C:\Windows\SysWOW64\vmnat.exe[1716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 22 00000000744a153e 2 bytes CALL 75a77744 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[1716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 43 00000000744a1553 2 bytes CALL 768a10ff C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000765b1401 2 bytes JMP 768cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000765b1419 2 bytes JMP 768cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000765b1431 2 bytes JMP 76949011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000765b144a 2 bytes CALL 768a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765b14dd 2 bytes JMP 7694890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765b14f5 2 bytes JMP 76948ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000765b150d 2 bytes JMP 76948800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000765b1525 2 bytes JMP 76948bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000765b153d 2 bytes JMP 768bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000765b1555 2 bytes JMP 768c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000765b156d 2 bytes JMP 769490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000765b1585 2 bytes JMP 76948c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000765b159d 2 bytes JMP 769487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765b15b5 2 bytes JMP 768bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765b15cd 2 bytes JMP 768cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765b16b2 2 bytes JMP 76948f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765b16bd 2 bytes JMP 76948759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\Dwm.exe[2928] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcef2db0 5 bytes JMP 000007fefcee0180 .text C:\Windows\system32\Dwm.exe[2928] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcef3700 7 bytes JMP 000007fefcee00d8 .text C:\Windows\system32\Dwm.exe[2928] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcef9140 5 bytes JMP 000007fefcee0148 .text C:\Windows\system32\Dwm.exe[2928] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefcefa2b0 5 bytes JMP 000007fefcee0110 .text C:\Windows\system32\Dwm.exe[2928] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff2089d0 8 bytes JMP 000007fefcee01f0 .text C:\Windows\system32\Dwm.exe[2928] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff20be40 8 bytes JMP 000007fefcee01b8 .text C:\Windows\system32\Dwm.exe[2928] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef630dc88 5 bytes JMP 000007fef60a00d8 .text C:\Windows\system32\Dwm.exe[2928] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef630de10 5 bytes JMP 000007fef60a0110 .text C:\Program Files (x86)\Napisy24\Napisy24.exe[3112] C:\Windows\syswow64\USER32.dll!GetSysColor 0000000076626c3c 5 bytes JMP 000000000229f04a .text C:\Program Files (x86)\Napisy24\Napisy24.exe[3112] C:\Windows\syswow64\USER32.dll!FillRect 0000000076630ec6 5 bytes JMP 000000000229f12a .text C:\Program Files (x86)\Napisy24\Napisy24.exe[3112] C:\Windows\syswow64\USER32.dll!GetSysColorBrush 00000000766335b4 5 bytes JMP 000000000229f0ba .text C:\Program Files (x86)\Napisy24\Napisy24.exe[3112] C:\Windows\syswow64\USER32.dll!DrawEdge 0000000076635833 5 bytes JMP 000000000229f19a .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000765b1401 2 bytes JMP 768cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000765b1419 2 bytes JMP 768cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000765b1431 2 bytes JMP 76949011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000765b144a 2 bytes CALL 768a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765b14dd 2 bytes JMP 7694890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765b14f5 2 bytes JMP 76948ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000765b150d 2 bytes JMP 76948800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000765b1525 2 bytes JMP 76948bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000765b153d 2 bytes JMP 768bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000765b1555 2 bytes JMP 768c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000765b156d 2 bytes JMP 769490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000765b1585 2 bytes JMP 76948c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000765b159d 2 bytes JMP 769487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765b15b5 2 bytes JMP 768bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765b15cd 2 bytes JMP 768cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765b16b2 2 bytes JMP 76948f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Drive\googledrivesync.exe[3500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765b16bd 2 bytes JMP 76948759 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000765b1401 2 bytes JMP 768cb233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000765b1419 2 bytes JMP 768cb35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000765b1431 2 bytes JMP 76949011 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000765b144a 2 bytes CALL 768a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765b14dd 2 bytes JMP 7694890a C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765b14f5 2 bytes JMP 76948ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000765b150d 2 bytes JMP 76948800 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000765b1525 2 bytes JMP 76948bca C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000765b153d 2 bytes JMP 768bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000765b1555 2 bytes JMP 768c6907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000765b156d 2 bytes JMP 769490c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000765b1585 2 bytes JMP 76948c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000765b159d 2 bytes JMP 769487c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765b15b5 2 bytes JMP 768bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765b15cd 2 bytes JMP 768cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765b16b2 2 bytes JMP 76948f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[2204] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765b16bd 2 bytes JMP 76948759 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0143dccc340 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0143dccc340@9c029872d173 0x30 0x5A 0x60 0xDC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0143dccc340 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0143dccc340@9c029872d173 0x30 0x5A 0x60 0xDC ... ---- EOF - GMER 2.2 ----