GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-02 22:44:54 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SanDisk_SDSSDP128G rev.2.0.0 119,24GB Running: gp9hwt87.exe; Driver: C:\Users\abc\AppData\Local\Temp\uxriapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031fe000 63 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 592 fffff800031fe040 1 byte [01] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 6 bytes [48, B8, AE, 07, 73, 04] .text C:\Windows\Explorer.EXE[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077821518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778215e0 6 bytes [48, B8, 0E, 14, 73, 04] .text C:\Windows\Explorer.EXE[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000778215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077821800 6 bytes [48, B8, EE, 0F, 73, 04] .text C:\Windows\Explorer.EXE[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077821808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778218b0 6 bytes [48, B8, 8E, 24, 73, 04] .text C:\Windows\Explorer.EXE[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778218b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\Explorer.EXE[3276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077821e40 6 bytes [48, B8, AE, 28, 73, 04] .text C:\Windows\Explorer.EXE[3276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077821e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3380] C:\Windows\syswow64\WS2_32.dll!getaddrinfo 0000000075564296 6 bytes [68, 6F, 56, D2, 07, C3] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3380] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075564889 11 bytes [68, B6, 53, D2, 07, C3, 90, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3380] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007556d1ea 11 bytes [68, F2, 54, D2, 07, C3, 90, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3380] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075577673 11 bytes [68, 81, 57, D2, 07, C3, 90, ...] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3380] C:\Windows\syswow64\USER32.dll!GetClassNameW + 45 0000000076fa82d6 6 bytes [68, E5, 73, D2, 07, C3] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 6 bytes [48, B8, AE, 07, DD, 01] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077821518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778215e0 6 bytes [48, B8, 0E, 14, DD, 01] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000778215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077821800 6 bytes [48, B8, EE, 0F, DD, 01] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077821808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778218b0 6 bytes [48, B8, 8E, 24, DD, 01] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778218b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077821e40 6 bytes [48, B8, AE, 28, DD, 01] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077821e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\SysWOW64\WerFault.exe[10564] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000779c000c 1 byte [90] .text C:\Windows\SysWOW64\WerFault.exe[10564] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000779d0068 4 bytes [68, 84, 8B, 2D] .text C:\Windows\SysWOW64\WerFault.exe[10564] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread + 5 00000000779d006d 5 bytes [C3, 90, 90, 90, 90] .text C:\Users\abc\AppData\Roaming\winvap.exe[11880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes [48, B8, AE, 07, 57] .text C:\Users\abc\AppData\Roaming\winvap.exe[11880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077821518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Users\abc\AppData\Roaming\winvap.exe[11880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778215e0 5 bytes [48, B8, 0E, 14, 57] .text C:\Users\abc\AppData\Roaming\winvap.exe[11880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000778215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Users\abc\AppData\Roaming\winvap.exe[11880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077821800 5 bytes [48, B8, EE, 0F, 57] .text C:\Users\abc\AppData\Roaming\winvap.exe[11880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077821808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Users\abc\AppData\Roaming\winvap.exe[11880] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778218b0 5 bytes [48, B8, 8E, 24, 57] .text C:\Users\abc\AppData\Roaming\winvap.exe[11880] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778218b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Users\abc\AppData\Roaming\winvap.exe[11880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077821e40 5 bytes [48, B8, AE, 28, 57] .text C:\Users\abc\AppData\Roaming\winvap.exe[11880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077821e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[5204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077981465 2 bytes [98, 77] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[5204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779814bb 2 bytes [98, 77] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [5204] entry point in ".rdata" section 00000000723b71e6 .text C:\Users\abc\AppData\Roaming\c4sysmgr.exe[16084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077821510 5 bytes [48, B8, AE, 07, 76] .text C:\Users\abc\AppData\Roaming\c4sysmgr.exe[16084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077821518 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Users\abc\AppData\Roaming\c4sysmgr.exe[16084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778215e0 5 bytes [48, B8, 0E, 14, 76] .text C:\Users\abc\AppData\Roaming\c4sysmgr.exe[16084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000778215e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Users\abc\AppData\Roaming\c4sysmgr.exe[16084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077821800 5 bytes [48, B8, EE, 0F, 76] .text C:\Users\abc\AppData\Roaming\c4sysmgr.exe[16084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077821808 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Users\abc\AppData\Roaming\c4sysmgr.exe[16084] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey 00000000778218b0 5 bytes [48, B8, 8E, 24, 76] .text C:\Users\abc\AppData\Roaming\c4sysmgr.exe[16084] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8 00000000778218b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Users\abc\AppData\Roaming\c4sysmgr.exe[16084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey 0000000077821e40 5 bytes [48, B8, AE, 28, 76] .text C:\Users\abc\AppData\Roaming\c4sysmgr.exe[16084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey + 8 0000000077821e48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Notepad++\notepad++.exe[848] C:\Windows\syswow64\USER32.dll!GetClassNameW + 45 0000000076fa82d6 6 bytes [68, E5, 73, BF, 06, C3] .text C:\Program Files (x86)\Notepad++\notepad++.exe[848] C:\Windows\syswow64\WS2_32.dll!getaddrinfo 0000000075564296 6 bytes [68, 6F, 56, BF, 06, C3] .text C:\Program Files (x86)\Notepad++\notepad++.exe[848] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000075564889 11 bytes [68, B6, 53, BF, 06, C3, 90, ...] .text C:\Program Files (x86)\Notepad++\notepad++.exe[848] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoExW 000000007556d1ea 11 bytes [68, F2, 54, BF, 06, C3, 90, ...] .text C:\Program Files (x86)\Notepad++\notepad++.exe[848] C:\Windows\syswow64\WS2_32.dll!gethostbyname 0000000075577673 11 bytes [68, 81, 57, BF, 06, C3, 90, ...] ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\WerFault.exe [10564:13372] 00000000002e489c Thread C:\Program Files (x86)\Windows Media Player\wmplayer.exe [1400:8064] 00000000077d489c ---- Processes - GMER 2.1 ---- Library C:\Users\abc\AppData\Local\Temp\d12d05b4-91e4-4bef-b454-f07710dc01b4\CliSecureRT64.dll (*** suspicious ***) @ C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe [10644](2014-01-29 17:35:32) 0000000180000000 Process C:\Users\abc\AppData\Roaming\winvap.exe (*** suspicious ***) @ C:\Users\abc\AppData\Roaming\winvap.exe [11880](2014-09-02 19:09:59) 0000000000fa0000 Process C:\Users\abc\AppData\Roaming\nvidiadisp\nvidiadisp.exe (*** suspicious ***) @ C:\Users\abc\AppData\Roaming\nvidiadisp\nvidiadisp.exe [14516](2014-09-02 19:09:54) 0000000001170000 Library C:\Users\abc\AppData\Roaming\nvidiadisp\pthreadVC2.dll (*** suspicious ***) @ C:\Users\abc\AppData\Roaming\nvidiadisp\nvidiadisp.exe [14516] (MS C x86/Open Source Software community LGPL)(2014-09-02 19:09:54) 00000000722c0000 Process C:\Users\abc\AppData\Roaming\c4sysmgr.exe (*** suspicious ***) @ C:\Users\abc\AppData\Roaming\c4sysmgr.exe [16084](2014-09-02 19:10:15) 00000000013d0000 ---- EOF - GMER 2.1 ----