GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-25 19:11:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-2 ST1000DM003-1ER162 rev.CC45 931,51GB Running: gmer.exe; Driver: C:\Users\STEVE\AppData\Local\Temp\ugloypob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2988] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077041bb2 5 bytes JMP 0000000000298c60 .text C:\Program Files (x86)\Steam\Steam.exe[892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075321465 2 bytes [32, 75] .text C:\Program Files (x86)\Steam\Steam.exe[892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753214bb 2 bytes [32, 75] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[760] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000770987c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Gaming Keyboard\Monitor.EXE[1408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075321465 2 bytes [32, 75] .text C:\Program Files (x86)\Gaming Keyboard\Monitor.EXE[1408] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753214bb 2 bytes [32, 75] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075321465 2 bytes [32, 75] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753214bb 2 bytes [32, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[3876] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072731a22 2 bytes [73, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3876] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072731ad0 2 bytes [73, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3876] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072731b08 2 bytes [73, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3876] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072731bba 2 bytes [73, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3876] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072731bda 2 bytes [73, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075321465 2 bytes [32, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753214bb 2 bytes [32, 75] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007777f9a1 7 bytes {MOV EDX, 0x7d2ae8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 000000007777fa1d 7 bytes {MOV EDX, 0x7d29a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 000000007777fb35 7 bytes {MOV EDX, 0x7d2968; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007777fbe5 7 bytes {MOV EDX, 0x7d2b28; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007777fc15 7 bytes {MOV EDX, 0x7d2a68; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007777fc2d 7 bytes {MOV EDX, 0x7d2928; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007777fc45 7 bytes {MOV EDX, 0x7d2be8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007777fc75 7 bytes {MOV EDX, 0x7d2c28; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007777fcf5 7 bytes {MOV EDX, 0x7d2ba8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007777fd0d 7 bytes {MOV EDX, 0x7d2b68; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007777fd59 7 bytes {MOV EDX, 0x7d2868; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007777fe51 7 bytes {MOV EDX, 0x7d28a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000777800a9 7 bytes {MOV EDX, 0x7d2828; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 000000007778100d 7 bytes {MOV EDX, 0x7d29e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000777810b5 7 bytes {MOV EDX, 0x7d2aa8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007778112d 7 bytes {MOV EDX, 0x7d2a28; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077781331 7 bytes {MOV EDX, 0x7d28e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075321465 2 bytes [32, 75] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753214bb 2 bytes [32, 75] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007777f9a1 7 bytes {MOV EDX, 0x9ea2e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 000000007777fa1d 7 bytes {MOV EDX, 0x9ea1a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 000000007777fb35 7 bytes {MOV EDX, 0x9ea168; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007777fbe5 7 bytes {MOV EDX, 0x9ea328; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007777fc15 7 bytes {MOV EDX, 0x9ea268; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007777fc2d 7 bytes {MOV EDX, 0x9ea128; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007777fc45 7 bytes {MOV EDX, 0x9ea3e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007777fc75 7 bytes {MOV EDX, 0x9ea428; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007777fcf5 7 bytes {MOV EDX, 0x9ea3a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007777fd0d 7 bytes {MOV EDX, 0x9ea368; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007777fd59 7 bytes {MOV EDX, 0x9ea068; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007777fe51 7 bytes {MOV EDX, 0x9ea0a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000777800a9 7 bytes {MOV EDX, 0x9ea028; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 000000007778100d 7 bytes {MOV EDX, 0x9ea1e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000777810b5 7 bytes {MOV EDX, 0x9ea2a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007778112d 7 bytes {MOV EDX, 0x9ea228; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077781331 7 bytes {MOV EDX, 0x9ea0e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075321465 2 bytes [32, 75] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[6704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753214bb 2 bytes [32, 75] .text ... * 2 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14668134685782272@SetupOperations ????\p??????????????????? ?????????????????????,????????P?%??????5???????????\??????gr???????????a?g s????P??????s????hmef??\SystemRoot\system32\drivers\aswKbd.sys?ys?ile???????????t?????eva??aswKbd?igh???????????????????????????,??p???Keyboard Port???Extended Base????w????????????????????N??????R?????nst??6.1.7600.16385??????????????????mi???????????5???????????????|??og???????????a??????@volsnap.inf,%storage\volumesnapshot.devicedesc%;Generic volume shadow copy?c0???????????????????????????????????????????????????????????S??tw??USB Keyboard?&???????????i??=A??????????????????nvd3dumx,nvwgf2umx,nvwgf2umx?nvd3dum,nvwgf2um,nvwgf2um???d??????????????????nvd3dum.dll?nvwgf2um.dll?nvwgf2um.dll???I4??? P????????????3????RPCSS??i?????????????????????????????????????2??sh??????????? ?????????????????????????????????????????c??????x??????2????h1.2???????????????h??.NT??????????????3???(0??_??????????????????????????????t_??.NT?hi??? ??????????????????????????????t??????????ceI??? ?????????????????????,????????x?????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14668135082812272@SetupOperations ????s???6-21-2006???????????????????????? ?????????????????????0??L????????? ???????????????????????????????? ?????????????????????0????????????&????????????????????????????????????????a??ca??|???????????????????????? ?????????????????????,????????????&???????????????????????? ??1???????????????????????????0???? ?????????????????????,????????X????????N??????????????????????????????t?????????????????????????X???????????h???????????????????????????2?????????????????AMD HD Audio HDMI out #0??????????N?????????D???{17CCA71B-ECD7-11D0-B908-00A0C9223196}??????? ???????5????????????????"??????????????????o??????????????????????\\?\HDAUDIO#FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1002#5&2fea73b5&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\e0HDMIOut2Topo??????? ??????????????????????????????N?????????????s???????????????@?????????????????AMD HD Audio HDMI out mixer #0???????????N?????????D???{17CCA71B-ECD7-11D0-B908-00A0C9223196}??????? ??????????????????????????????????????????????????? ????????????????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14668134685782272@SetupOperations ??????????*????????g????Intel(R) Corporation????? ??????? ??????????????????????????????????? ??6&1f2a903d&0?????????????????????????????????????????????b??????????????????????USB2.0 Hub??????????????????????????????????????????????????????????????????????oem2.inf:Intel.NTAMD64.6.1:IUsb3HubModel:3.0.5.69:iusb3\class_09&subclass_00&prot_01????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????USB 2.0 Hub?????????????????????????????????????????????????????????????????????IUsb3HubModel?????????????????????F?????????????iusb3\class_09&subclass_00&prot_01????????????????????????*?????????????Intel(R) Corporation?????????????????????????????????????????????o???????s??????@usbstor.inf,%generic.mfg%;Compatible USB storage device?????i?i?i?i?i?i?i?i?i?i?i?i?n??@usbstor.inf,%generic.mfg%;Compatible USB storage device????? Z???????????????????????X?avast! keyboard filter driver (aswKbd)???????????????,???????????????6??e6????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14668135082812272@SetupOperations ????????????????????????? ??6&1f2a903d&0?????????????????????????????????????????????b??????????????????????USB2.0 Hub??????????????????????????????????????????????????????????????????????oem2.inf:Intel.NTAMD64.6.1:IUsb3HubModel:3.0.5.69:iusb3\class_09&subclass_00&prot_01????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????USB 2.0 Hub?????????????????????????????????????????????????????????????????????IUsb3HubModel?????????????????????F?????????????iusb3\class_09&subclass_00&prot_01????????????????????????*?????????????Intel(R) Corporation?????????????????????????????????????????????o???????s??????@usbstor.inf,%generic.mfg%;Compatible USB storage device?????i?i?i?i?i?i?i?i?i?i?i?i?n??@usbstor.inf,%generic.mfg%;Compatible USB storage device????? Z???????????????????????X?avast! keyboard filter driver (aswKbd)???????????????,???????????????6??e6??????????????Sony?tp.inf,%genericmfg%;(Standard MTP Device)?6|P??WpdDevi ---- EOF - GMER 2.2 ----