GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-16 18:49:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Samsung_SSD_840_EVO_250GB rev.EXT0BB6Q 232,89GB Running: 09pskuru.exe; Driver: D:\Temp\uglcraoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002ff1000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 574 fffff80002ff102e 19 bytes [63, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1248] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076828769 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1248] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000770a1465 2 bytes [0A, 77] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1248] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000770a14bb 2 bytes [0A, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe[2256] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000076823475 5 bytes JMP 0000000102369f28 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000770a1465 2 bytes [0A, 77] .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[2144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770a14bb 2 bytes [0A, 77] .text ... * 2 .text C:\Users\PG\AppData\Roaming\Microsoft\Wcenter43.exe[3408] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000770a1465 2 bytes [0A, 77] .text C:\Users\PG\AppData\Roaming\Microsoft\Wcenter43.exe[3408] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000770a14bb 2 bytes [0A, 77] .text ... * 2 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtWaitForSingleObject 000000007796f8bc 5 bytes JMP 00000001770f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 000000007796f8f0 5 bytes JMP 0000000177510000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 000000007796f928 5 bytes JMP 0000000177530000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007796f9e0 5 bytes JMP 0000000177480000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 000000007796f9f8 5 bytes JMP 0000000176af0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationFile 000000007796fa10 5 bytes JMP 00000001774a0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 000000007796fa28 5 bytes JMP 0000000176c70000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007796fa40 5 bytes JMP 0000000176eb0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 000000007796fa90 5 bytes JMP 0000000176c30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007796faa8 5 bytes JMP 0000000176bf0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 000000007796fad8 5 bytes JMP 0000000176a50000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 000000007796fb40 5 bytes JMP 0000000176f30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007796fc38 5 bytes JMP 00000001774c0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007796fc50 5 bytes JMP 00000001773c0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 000000007796fc80 5 bytes JMP 0000000177380000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007796fd4c 5 bytes JMP 0000000176ed0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007796fd64 5 bytes JMP 0000000177940000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007796fd98 5 bytes JMP 00000001772e0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007796fdc8 5 bytes JMP 0000000177440000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile 000000007796fdf8 5 bytes JMP 00000001771c0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007796fe44 5 bytes JMP 0000000177360000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007796fe5c 5 bytes JMP 0000000177400000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile 000000007796ff8c 2 bytes JMP 0000000177320000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile + 3 000000007796ff8f 2 bytes [9B, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007796ffa4 2 bytes JMP 0000000177460000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 3 000000007796ffa7 2 bytes [AF, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile 000000007796ffbc 2 bytes JMP 00000001771e0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile + 3 000000007796ffbf 2 bytes [87, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQuerySection 0000000077970050 5 bytes JMP 00000001773a0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000779700b4 5 bytes JMP 0000000177920000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtWaitForMultipleObjects 0000000077970148 5 bytes JMP 00000001770d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000779701c4 5 bytes JMP 0000000176b50000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheck 0000000077970228 5 bytes JMP 0000000176a10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000779709e4 5 bytes JMP 00000001774e0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000779709fc 5 bytes JMP 0000000176f10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077970a44 5 bytes JMP 0000000176ef0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtExtendSection 0000000077970b1c 5 bytes JMP 00000001770b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077970b80 5 bytes JMP 0000000176cf0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtFlushVirtualMemory 0000000077970bb4 5 bytes JMP 0000000177420000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey 0000000077970e0c 5 bytes JMP 0000000176cd0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey2 0000000077970e24 5 bytes JMP 0000000176cb0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtLockFile 0000000077970e54 5 bytes JMP 0000000177220000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeDirectoryFile 0000000077970f58 5 bytes JMP 00000001771a0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077970f70 5 bytes JMP 0000000176c90000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077971018 5 bytes JMP 0000000176c50000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007797133c 5 bytes JMP 0000000177340000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007797147c 5 bytes JMP 0000000176c10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077971528 5 bytes JMP 0000000176a30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077971718 5 bytes JMP 0000000176b10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtReplaceKey 0000000077971748 5 bytes JMP 0000000176bd0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtRestoreKey 00000000779717e0 5 bytes JMP 0000000176bb0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtSaveKey 0000000077971874 5 bytes JMP 0000000176b90000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077971a58 5 bytes JMP 0000000176b70000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077971b9c 5 bytes JMP 00000001773e0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtSetVolumeInformationFile 0000000077971c9c 5 bytes JMP 0000000177300000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077971e70 5 bytes JMP 0000000176b30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!NtUnlockFile 0000000077971eb8 5 bytes JMP 0000000177200000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!RtlQueryInformationActivationContext 000000007798ba2c 5 bytes JMP 0000000176ad0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007798c4dd 5 bytes JMP 0000000176a90000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077991287 5 bytes JMP 0000000176a70000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007682103d 5 bytes JMP 00000001767c0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076821072 5 bytes JMP 00000001767e0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\kernel32.dll!CreateActCtxW 00000000768291e7 5 bytes JMP 0000000176800000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\kernel32.dll!WinExec 00000000768a2c51 5 bytes JMP 00000001767a0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserW 000000007723c532 5 bytes JMP 0000000176ab0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\ADVAPI32.dll!EncryptFileW 00000000772728f8 5 bytes JMP 0000000176780000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\ADVAPI32.dll!DecryptFileW 0000000077272947 5 bytes JMP 0000000176760000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\ole32.dll!CoRegisterClassObject 0000000076f521e1 5 bytes JMP 00000001769f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\ole32.dll!CoGetClassObject 0000000076f754ad 5 bytes JMP 0000000176950000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076f89d0b 5 bytes JMP 0000000176990000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076f89d4e 5 bytes JMP 0000000176970000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\ole32.dll!CoRevokeClassObject 0000000076fceacf 5 bytes JMP 00000001769d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\ole32.dll!CoFreeUnusedLibraries 0000000076fd0cc2 5 bytes JMP 00000001769b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\ole32.dll!CoRegisterSurrogate 00000000770209bf 5 bytes JMP 0000000176930000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000005391465 2 bytes [39, 05] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[880] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000053914bb 2 bytes [39, 05] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880:4124] 000000000066ca30 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880:4128] 000000000066c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880:4132] 000000000066c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880:4136] 000000000066c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880:4140] 000000000066c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880:4144] 000000000066c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880:4148] 000000000066c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880:4152] 000000000066c3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880:4156] 000000000066c3c0 Thread C:\Windows\System32\svchost.exe [6092:3932] 000007fef3f19688 ---- Processes - GMER 2.1 ---- Process C:\Users\PG\AppData\Roaming\Microsoft\Wcenter43.exe (*** suspicious ***) @ C:\Users\PG\AppData\Roaming\Microsoft\Wcenter43.exe [3408](2014-03-16 10:54:29) 00000000008d0000 Library C:\Users\PG\AppData\Roaming\Microsoft\Wcenter43.exe (*** suspicious ***) @ C:\Users\PG\AppData\Roaming\Microsoft\Wcenter43.exe [3408](2014-03-16 10:54:29) 0000000000400000 Library :\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\880\bxsdk32.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880] 0000000010000000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\miner.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880] 0000000013900000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\usft_ext.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880] 0000000011000000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\coinutil.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880] 0000000013800000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\MPIR.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [880] 0000000013000000 ---- EOF - GMER 2.1 ----