GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-30 11:44:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 KINGSTON_SKC300S37A60G rev.507KC4 55,90GB Running: 7eh0gcd0.exe; Driver: C:\Users\PC\AppData\Local\Temp\uglcraoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1604] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075ff8799 4 bytes [C2, 04, 00, 00] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075f61465 2 bytes [F6, 75] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075f614bb 2 bytes [F6, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [796] entry point in ".rdata" section 0000000071a171e6 .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772ff991 8 bytes {MOV EDX, 0xa0228; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 15 00000000772ff99b 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772ffbd5 8 bytes {MOV EDX, 0xa0268; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 15 00000000772ffbdf 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772ffc05 8 bytes {MOV EDX, 0xa01a8; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 15 00000000772ffc0f 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772ffc1d 8 bytes {MOV EDX, 0xa0128; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 15 00000000772ffc27 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772ffc35 8 bytes {MOV EDX, 0xa0328; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 15 00000000772ffc3f 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772ffc65 8 bytes {MOV EDX, 0xa0368; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 15 00000000772ffc6f 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772ffce5 8 bytes {MOV EDX, 0xa02e8; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 15 00000000772ffcef 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772ffcfd 8 bytes {MOV EDX, 0xa02a8; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 15 00000000772ffd07 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772ffd49 8 bytes {MOV EDX, 0xa0068; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 15 00000000772ffd53 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772ffe41 8 bytes {MOV EDX, 0xa00a8; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 15 00000000772ffe4b 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077300099 8 bytes {MOV EDX, 0xa0028; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 15 00000000773000a3 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773010a5 8 bytes {MOV EDX, 0xa01e8; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 15 00000000773010af 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007730111d 8 bytes {MOV EDX, 0xa0168; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 15 0000000077301127 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077301321 8 bytes {MOV EDX, 0xa00e8; JMP RDX} .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 15 000000007730132b 1 byte [90] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075f61465 2 bytes [F6, 75] .text C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe[1124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075f614bb 2 bytes [F6, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2536:2192] 000007fef2e29688 ---- EOF - GMER 2.1 ----