GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-19 13:12:16 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GS00 465,76GB Running: 0ffil083.exe; Driver: C:\Users\Sierotaa\AppData\Local\Temp\uglyiaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1916] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000758f87c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c43a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d411d7 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000077288a29 5 bytes JMP 0000000164863834 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000772acbf3 5 bytes JMP 000000016499dcd8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000772acfca 5 bytes JMP 0000000164797f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000772ccb0c 5 bytes JMP 000000016499dc75 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000772cce64 5 bytes JMP 000000016499dd3b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000772dfbd1 5 bytes JMP 000000016499dc0a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000772dfc9d 5 bytes JMP 000000016499db9f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000772dfcd6 5 bytes JMP 000000016499db3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000772dfcfa 5 bytes JMP 000000016499dadb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000770593fc 5 bytes JMP 000000016499e83a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077801465 2 bytes [80, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778014bb 2 bytes [80, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000726d388e 5 bytes JMP 000000016499f282 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000072777922 5 bytes JMP 000000016499f323 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2596] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076ef2694 5 bytes JMP 000000016499ea33 ? C:\Windows\system32\mssprxy.dll [2596] entry point in ".rdata" section 0000000071f371e6 ? C:\Windows\System32\NLSData0000.dll [2596] entry point in ".rdata" section 0000000065b5c541 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d3c43a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d411d7 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000077288a29 5 bytes JMP 0000000164863834 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007729291f 5 bytes JMP 0000000164790f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000077292da4 5 bytes JMP 000000016478a855 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000077296285 5 bytes JMP 00000001647d3c96 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077297603 5 bytes JMP 0000000164827df9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 000000007729b029 5 bytes JMP 000000016499e9c5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 000000007729c63e 5 bytes JMP 000000016499e9fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000772a50ed 5 bytes JMP 000000016499e191 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 00000000772a5246 5 bytes JMP 000000016499e957 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!EndDialog 00000000772ab99c 5 bytes JMP 000000016478b000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 00000000772ac701 5 bytes JMP 000000016478adae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000772acbf3 5 bytes JMP 000000016499dcd8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000772acfca 5 bytes JMP 0000000164797f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000772aeb96 5 bytes JMP 000000016478b202 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000772af52b 5 bytes JMP 000000016488d963 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!SendInput 00000000772aff4a 5 bytes JMP 000000016499f11c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000772b10dc 5 bytes JMP 000000016499e98e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000772b14b2 5 bytes JMP 000000016499e4f6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!SetCursorPos 00000000772c9cfd 5 bytes JMP 000000016499f174 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000772ccb0c 5 bytes JMP 000000016499dc75 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000772cce64 5 bytes JMP 000000016499dd3b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000772dfbd1 5 bytes JMP 000000016499dc0a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000772dfc9d 5 bytes JMP 000000016499db9f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000772dfcd6 5 bytes JMP 000000016499db3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000772dfcfa 5 bytes JMP 000000016499dadb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\USER32.dll!keybd_event 00000000772e02bf 5 bytes JMP 000000016499f4a7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 00000000770e6143 3 bytes JMP 000000016499e036 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\ole32.dll!OleLoadFromStream + 4 00000000770e6147 1 byte [ED] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000077129d0b 5 bytes JMP 00000001648633c2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076ff3e59 5 bytes JMP 000000016487d8fb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076ff3eae 5 bytes JMP 000000016487e408 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076ff4731 5 bytes JMP 000000016499ec33 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076ff5dee 5 bytes JMP 000000016499ec7e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000770593fc 5 bytes JMP 000000016499e83a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077801465 2 bytes [80, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000778014bb 2 bytes [80, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000726d388e 5 bytes JMP 000000016499f282 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000072777922 5 bytes JMP 000000016499f323 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 0000000076ee33a3 5 bytes JMP 000000016499eacd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3388] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076ef2694 5 bytes JMP 000000016499ea33 ---- Processes - GMER 2.1 ---- Library C:\Users\Sierotaa\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1468] (GG drive menu/GG Network S.A.)(2014-08-17 21:30:26) 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4c8093652849 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 8874 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4150ADBD-3EB6-4ACF-B30C-830BECDA450F}@LeaseObtainedTime 1439981203 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4150ADBD-3EB6-4ACF-B30C-830BECDA450F}@T1 1440110803 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4150ADBD-3EB6-4ACF-B30C-830BECDA450F}@T2 1440208003 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4150ADBD-3EB6-4ACF-B30C-830BECDA450F}@LeaseTerminatesTime 1440240403 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4c8093652849 (not active ControlSet) ---- EOF - GMER 2.1 ----