GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-25 16:43:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\00000060 Crucial_ rev.MU03 111,79GB Running: xr82n6fq.exe; Driver: C:\Users\woint\AppData\Local\Temp\pwldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076851401 2 bytes JMP 751eb21b C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076851419 2 bytes JMP 751eb346 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076851431 2 bytes JMP 75268f29 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007685144a 2 bytes CALL 751c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768514dd 2 bytes JMP 75268822 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768514f5 2 bytes JMP 752689f8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007685150d 2 bytes JMP 75268718 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076851525 2 bytes JMP 75268ae2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007685153d 2 bytes JMP 751dfca8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076851555 2 bytes JMP 751e68ef C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007685156d 2 bytes JMP 75268fe3 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076851585 2 bytes JMP 75268b42 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007685159d 2 bytes JMP 752686dc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768515b5 2 bytes JMP 751dfd41 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768515cd 2 bytes JMP 751eb2dc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768516b2 2 bytes JMP 75268ea4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1072] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768516bd 2 bytes JMP 75268671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076851401 2 bytes JMP 751eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076851419 2 bytes JMP 751eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076851431 2 bytes JMP 75268f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007685144a 2 bytes CALL 751c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768514dd 2 bytes JMP 75268822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768514f5 2 bytes JMP 752689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007685150d 2 bytes JMP 75268718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076851525 2 bytes JMP 75268ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007685153d 2 bytes JMP 751dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076851555 2 bytes JMP 751e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007685156d 2 bytes JMP 75268fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076851585 2 bytes JMP 75268b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007685159d 2 bytes JMP 752686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768515b5 2 bytes JMP 751dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768515cd 2 bytes JMP 751eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768516b2 2 bytes JMP 75268ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\ProtectService.exe[1964] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768516bd 2 bytes JMP 75268671 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076851401 2 bytes JMP 751eb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076851419 2 bytes JMP 751eb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076851431 2 bytes JMP 75268f29 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007685144a 2 bytes CALL 751c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768514dd 2 bytes JMP 75268822 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768514f5 2 bytes JMP 752689f8 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007685150d 2 bytes JMP 75268718 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076851525 2 bytes JMP 75268ae2 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007685153d 2 bytes JMP 751dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076851555 2 bytes JMP 751e68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007685156d 2 bytes JMP 75268fe3 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076851585 2 bytes JMP 75268b42 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007685159d 2 bytes JMP 752686dc C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768515b5 2 bytes JMP 751dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768515cd 2 bytes JMP 751eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768516b2 2 bytes JMP 75268ea4 C:\Windows\syswow64\kernel32.dll .text C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe[2076] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768516bd 2 bytes JMP 75268671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Avira\AviraSpeedup\avira_system_speedup.exe[2444] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 00000000751c34a1 4 bytes {CALL 0xffffffff8b2eaa08} .text C:\Windows\SysWOW64\msiexec.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 000000007703fc9c 5 bytes JMP 000000007ef92eb4 .text C:\Windows\SysWOW64\msiexec.exe[2664] C:\Windows\syswow64\ws2_32.dll!GetAddrInfoW 0000000075174889 5 bytes JMP 000000007ef939c0 .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076851401 2 bytes JMP 751eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076851419 2 bytes JMP 751eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076851431 2 bytes JMP 75268f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007685144a 2 bytes CALL 751c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768514dd 2 bytes JMP 75268822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768514f5 2 bytes JMP 752689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007685150d 2 bytes JMP 75268718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076851525 2 bytes JMP 75268ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007685153d 2 bytes JMP 751dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076851555 2 bytes JMP 751e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007685156d 2 bytes JMP 75268fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076851585 2 bytes JMP 75268b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007685159d 2 bytes JMP 752686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768515b5 2 bytes JMP 751dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768515cd 2 bytes JMP 751eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768516b2 2 bytes JMP 75268ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\MiuiTab\HPNotify.exe[2304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768516bd 2 bytes JMP 75268671 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\msiexec.exe [2664:2736] 000000007ef92f31 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [780:1244] 000007fefafe2bf8 ---- Processes - GMER 2.1 ---- Process C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe (*** suspicious ***) @ C:\Users\woint\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [2076] (Microsoft® Volume Shadow Copy Service/Microsoft Corporation)(2015-06-23 08:11:29) 0000000000400000 Library C:\Users\woint\AppData\Local\Temp\cdo465657273.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [2664] (Microsoft CDO for Windows Library/Microsoft Corporation)(2015-06-24 18:46:01) 0000000000370000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{072C33BB-816A-4BBD-9471-AAA5141AB81C}@LeaseObtainedTime 1435240736 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{072C33BB-816A-4BBD-9471-AAA5141AB81C}@T1 1435242536 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{072C33BB-816A-4BBD-9471-AAA5141AB81C}@T2 1435243886 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{072C33BB-816A-4BBD-9471-AAA5141AB81C}@LeaseTerminatesTime 1435244336 ---- EOF - GMER 2.1 ----