GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-18 09:55:42 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: 6zj6t7w6.exe; Driver: C:\Users\asia\AppData\Local\Temp\ugldrpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075961401 2 bytes JMP 7708b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075961419 2 bytes JMP 7708b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075961431 2 bytes JMP 77108fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007596144a 2 bytes CALL 7706489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759614dd 2 bytes JMP 771088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759614f5 2 bytes JMP 77108aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007596150d 2 bytes JMP 771087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075961525 2 bytes JMP 77108b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007596153d 2 bytes JMP 7707fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075961555 2 bytes JMP 770868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007596156d 2 bytes JMP 77109089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075961585 2 bytes JMP 77108bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007596159d 2 bytes JMP 7710877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759615b5 2 bytes JMP 7707fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759615cd 2 bytes JMP 7708b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759616b2 2 bytes JMP 77108f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1904] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759616bd 2 bytes JMP 77108713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075961401 2 bytes JMP 7708b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075961419 2 bytes JMP 7708b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075961431 2 bytes JMP 77108fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007596144a 2 bytes CALL 7706489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000759614dd 2 bytes JMP 771088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000759614f5 2 bytes JMP 77108aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007596150d 2 bytes JMP 771087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075961525 2 bytes JMP 77108b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007596153d 2 bytes JMP 7707fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075961555 2 bytes JMP 770868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007596156d 2 bytes JMP 77109089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075961585 2 bytes JMP 77108bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007596159d 2 bytes JMP 7710877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000759615b5 2 bytes JMP 7707fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000759615cd 2 bytes JMP 7708b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000759616b2 2 bytes JMP 77108f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000759616bd 2 bytes JMP 77108713 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[1216] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefac42840] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1216] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefac42720] c:\windows\system32\uxtuneup.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [10002370] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [100034e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[3792] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [100011e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{99FF7D41-F991-4743-8058-0EB471A22EDD}\Connection@Name isatap.{566462F7-7743-4943-AE81-9EDE64941C00} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{60E617A2-D2FD-48A0-849E-5274C8258B02}?\Device\{90CACAB0-F1FB-4996-A15F-6AAFFAE905EF}?\Device\{99FF7D41-F991-4743-8058-0EB471A22EDD}?\Device\{3A8C1971-EA82-4E51-94CE-2DAF32185AC1}?\Device\{CEBC9876-0968-47A7-8EB1-FD1ECBE033D0}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{60E617A2-D2FD-48A0-849E-5274C8258B02}"?"{90CACAB0-F1FB-4996-A15F-6AAFFAE905EF}"?"{99FF7D41-F991-4743-8058-0EB471A22EDD}"?"{3A8C1971-EA82-4E51-94CE-2DAF32185AC1}"?"{CEBC9876-0968-47A7-8EB1-FD1ECBE033D0}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{60E617A2-D2FD-48A0-849E-5274C8258B02}?\Device\TCPIP6TUNNEL_{90CACAB0-F1FB-4996-A15F-6AAFFAE905EF}?\Device\TCPIP6TUNNEL_{99FF7D41-F991-4743-8058-0EB471A22EDD}?\Device\TCPIP6TUNNEL_{3A8C1971-EA82-4E51-94CE-2DAF32185AC1}?\Device\TCPIP6TUNNEL_{CEBC9876-0968-47A7-8EB1-FD1ECBE033D0}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{99FF7D41-F991-4743-8058-0EB471A22EDD}@InterfaceName isatap.{566462F7-7743-4943-AE81-9EDE64941C00} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{99FF7D41-F991-4743-8058-0EB471A22EDD}@ReusableType 0 ---- EOF - GMER 2.1 ----