GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-25 20:33:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 PLEXTOR_PX-128M5S rev.1.05 119,24GB Running: gmer.exe; Driver: C:\Users\Lukasz\AppData\Local\Temp\ugrdapoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\SysWOW64\vmnat.exe[1716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 4 00000000742713b0 2 bytes JMP 75145628 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[1716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 20 00000000742713c0 2 bytes CALL 769d9cee C:\Windows\syswow64\msvcrt.dll .text ... * 20 .text C:\Windows\SysWOW64\vmnat.exe[1716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 22 000000007427153e 2 bytes CALL 751d7744 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[1716] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 43 0000000074271553 2 bytes CALL 762710ff C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075d71401 2 bytes JMP 7629b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075d71419 2 bytes JMP 7629b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075d71431 2 bytes JMP 76319011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075d7144a 2 bytes CALL 762748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075d714dd 2 bytes JMP 7631890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075d714f5 2 bytes JMP 76318ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075d7150d 2 bytes JMP 76318800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075d71525 2 bytes JMP 76318bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075d7153d 2 bytes JMP 7628fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075d71555 2 bytes JMP 76296907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075d7156d 2 bytes JMP 763190c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075d71585 2 bytes JMP 76318c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075d7159d 2 bytes JMP 763187c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075d715b5 2 bytes JMP 7628fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075d715cd 2 bytes JMP 7629b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075d716b2 2 bytes JMP 76318f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[1900] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075d716bd 2 bytes JMP 76318759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcca2db0 5 bytes JMP 000007fefcc90180 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcca3700 7 bytes JMP 000007fefcc900d8 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcca9140 5 bytes JMP 000007fefcc90148 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefccaa2b0 5 bytes JMP 000007fefcc90110 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefea889d0 8 bytes JMP 000007fefcc901f0 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefea8be40 8 bytes JMP 000007fefcc901b8 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef639dc88 5 bytes JMP 000007fef61900d8 .text C:\Windows\system32\Dwm.exe[2628] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef639de10 5 bytes JMP 000007fef6190110 .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\USER32.dll!GetSysColor 0000000076786c3c 5 bytes JMP 0000000000a9f04a .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\USER32.dll!FillRect 0000000076790ec6 5 bytes JMP 0000000000a9f12a .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\USER32.dll!GetSysColorBrush 00000000767935b4 5 bytes JMP 0000000000a9f0ba .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\USER32.dll!DrawEdge 0000000076795833 5 bytes JMP 0000000000a9f19a .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075d71401 2 bytes JMP 7629b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075d71419 2 bytes JMP 7629b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075d71431 2 bytes JMP 76319011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075d7144a 2 bytes CALL 762748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075d714dd 2 bytes JMP 7631890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075d714f5 2 bytes JMP 76318ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075d7150d 2 bytes JMP 76318800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075d71525 2 bytes JMP 76318bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075d7153d 2 bytes JMP 7628fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075d71555 2 bytes JMP 76296907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075d7156d 2 bytes JMP 763190c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075d71585 2 bytes JMP 76318c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075d7159d 2 bytes JMP 763187c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075d715b5 2 bytes JMP 7628fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075d715cd 2 bytes JMP 7629b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075d716b2 2 bytes JMP 76318f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Napisy24\Napisy24.exe[2572] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075d716bd 2 bytes JMP 76318759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\Dwm.exe[6528] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefcca2db0 5 bytes JMP 000007fefcc90180 .text C:\Windows\system32\Dwm.exe[6528] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefcca3700 7 bytes JMP 000007fefcc900d8 .text C:\Windows\system32\Dwm.exe[6528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcca9140 5 bytes JMP 000007fefcc90148 .text C:\Windows\system32\Dwm.exe[6528] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefccaa2b0 5 bytes JMP 000007fefcc90110 .text C:\Windows\system32\Dwm.exe[6528] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefea889d0 8 bytes JMP 000007fefcc901f0 .text C:\Windows\system32\Dwm.exe[6528] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefea8be40 8 bytes JMP 000007fefcc901b8 .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075d71401 2 bytes JMP 7629b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075d71419 2 bytes JMP 7629b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075d71431 2 bytes JMP 76319011 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075d7144a 2 bytes CALL 762748ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075d714dd 2 bytes JMP 7631890a C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075d714f5 2 bytes JMP 76318ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075d7150d 2 bytes JMP 76318800 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075d71525 2 bytes JMP 76318bca C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075d7153d 2 bytes JMP 7628fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075d71555 2 bytes JMP 76296907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075d7156d 2 bytes JMP 763190c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075d71585 2 bytes JMP 76318c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075d7159d 2 bytes JMP 763187c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075d715b5 2 bytes JMP 7628fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075d715cd 2 bytes JMP 7629b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075d716b2 2 bytes JMP 76318f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\Lukasz\AppData\Roaming\uTorrent\uTorrent.exe[6764] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075d716bd 2 bytes JMP 76318759 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0143dccc340 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0143dccc340@9c029872d173 0x30 0x5A 0x60 0xDC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0143dccc340 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0143dccc340@9c029872d173 0x30 0x5A 0x60 0xDC ... ---- Files - GMER 2.2 ---- File C:\Users\Lukasz\AppData\Local\Temp\etilqs_8LY35Gw7b2F5T2J 4 bytes File C:\Users\Lukasz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_018e6b 366287 bytes File C:\Users\Lukasz\AppData\Local\Google\Chrome\User Data\Default\Cache\f_018e6c 2097152 bytes ---- EOF - GMER 2.2 ----