GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-11 00:45:24 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC45 465,76GB Running: v4gx5idq.exe; Driver: C:\Users\Dominik\AppData\Local\Temp\uwdyipoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001cbe00 7 bytes [00, 91, 1C, 01, 00, D6, 9D] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960001cbe08 7 bytes [01, 0F, E4, FF, 00, 5F, E8] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[1064] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f85379177a 4 bytes [79, 53, F8, 07] .text C:\Windows\system32\dwm.exe[1064] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f853791782 4 bytes [79, 53, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1204] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f851991532 4 bytes [99, 51, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1204] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f85199153a 4 bytes [99, 51, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1204] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f85199165a 4 bytes [99, 51, F8, 07] .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007f851991532 4 bytes [99, 51, F8, 07] .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007f85199153a 4 bytes [99, 51, F8, 07] .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007f85199165a 4 bytes [99, 51, F8, 07] .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f85379177a 4 bytes [79, 53, F8, 07] .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f853791782 4 bytes [79, 53, F8, 07] .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f85379177a 4 bytes [79, 53, F8, 07] .text C:\Windows\System32\spoolsv.exe[2012] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f853791782 4 bytes [79, 53, F8, 07] .text C:\Windows\system32\mqsvc.exe[2268] C:\Windows\system32\WSOCK32.dll!recvfrom + 742 000007f84b2c1b32 4 bytes [2C, 4B, F8, 07] .text C:\Windows\system32\mqsvc.exe[2268] C:\Windows\system32\WSOCK32.dll!recvfrom + 750 000007f84b2c1b3a 4 bytes [2C, 4B, F8, 07] .text C:\Windows\Explorer.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue 000007f856273ed1 6 bytes JMP 000007f94d4f3ff0 .text C:\Windows\Explorer.EXE[3556] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW 000007f8534b2120 5 bytes JMP 000007f94d4f4830 .text C:\Windows\Explorer.EXE[3556] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f851991532 4 bytes [99, 51, F8, 07] .text C:\Windows\Explorer.EXE[3556] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f85199153a 4 bytes [99, 51, F8, 07] .text C:\Windows\Explorer.EXE[3556] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f85199165a 4 bytes [99, 51, F8, 07] .text C:\Windows\Explorer.EXE[3556] C:\Windows\SYSTEM32\slc.dll!SLIsWindowsGenuineLocal 000007f84dfed724 7 bytes JMP 000007f94d4f4160 .text C:\Windows\Explorer.EXE[3556] C:\Windows\SYSTEM32\sppc.dll!SLIsGenuineLocalEx 000007f84059cbf4 5 bytes JMP 000007f84d4f4180 .text C:\Windows\Explorer.EXE[3556] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f85379177a 4 bytes [79, 53, F8, 07] .text C:\Windows\Explorer.EXE[3556] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f853791782 4 bytes [79, 53, F8, 07] .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4472] C:\Windows\SYSTEM32\ntdll.dll!DbgBreakPoint 000007f856271e00 3 bytes [8B, 40, 30] .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4472] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f85379177a 4 bytes [79, 53, F8, 07] .text C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe[4472] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f853791782 4 bytes [79, 53, F8, 07] .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[4856] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007f85379177a 4 bytes [79, 53, F8, 07] .text C:\Program Files\Tablet\Pen\Pen_Tablet.exe[4856] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007f853791782 4 bytes [79, 53, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3680] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f851991532 4 bytes [99, 51, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3680] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f85199153a 4 bytes [99, 51, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3680] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f85199165a 4 bytes [99, 51, F8, 07] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[4584] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f85379177a 4 bytes [79, 53, F8, 07] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[4584] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f853791782 4 bytes [79, 53, F8, 07] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [748:772] fffff960009095e8 Thread C:\Windows\system32\csrss.exe [748:776] fffff960009095e8 ---- Processes - GMER 2.1 ---- Library C:\Users\Dominik\AppData\Local\Temp\70aeaca4-098f-4bcc-b0fa-e2544fb40678\CliSecureRT64.dll (*** suspicious ***) @ C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe [4472](2015-08-10 13:13:46) 0000000180000000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----