GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-10 21:49:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\0000006b ST325082 rev.3.AA 232,88GB Running: lg2mmwt9.exe; Driver: C:\Users\Voltir\AppData\Local\Temp\kxldipod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002fff000 59 bytes [8B, 74, 24, 48, 4C, 8B, 7C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 588 fffff80002fff03c 3 bytes [84, C4, C8] .text C:\Windows\System32\win32k.sys!EngSetLastError + 616 fffff960000c4ce4 8 bytes [14, 03, 52, 04, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000f3f00 7 bytes [80, 9D, F3, FF, 01, A9, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000f3f08 3 bytes [C0, 06, 02] .text ... * 106 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 400 fffff960001b2c48 14 bytes [98, 05, 52, 04, 80, F8, FF, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\services.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Windows\System32\svchost.exe[568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[852] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1296] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\ProgramData\IePluginService\PluginService.exe[1696] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\ProgramData\IePluginService\PluginService.exe[1696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076491465 2 bytes [49, 76] .text C:\ProgramData\IePluginService\PluginService.exe[1696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764914bb 2 bytes [49, 76] .text ... * 2 .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\ProgramData\WPM\wprotectmanager.exe[1796] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2040] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Windows\Explorer.EXE[1332] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2072] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2172] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files (x86)\PANDORA.TV\PanService\KMPService.exe[2200] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[2328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files (x86)\outobox\updateoutobox.exe[2376] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Windows\system32\conhost.exe[2424] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files (x86)\outobox\bin\utiloutobox.exe[2868] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Program Files (x86)\outobox\bin\utiloutobox.exe[2868] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076491465 2 bytes [49, 76] .text C:\Program Files (x86)\outobox\bin\utiloutobox.exe[2868] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000764914bb 2 bytes [49, 76] .text ... * 2 .text C:\Windows\System32\rundll32.exe[3264] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[3460] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076491465 2 bytes [49, 76] .text C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe[3460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764914bb 2 bytes [49, 76] .text ... * 2 .text C:\Windows\system32\wbem\wmiprvse.exe[3544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3680] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Users\Voltir\AppData\Roaming\uTorrent\uTorrent.exe[3832] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Users\Voltir\AppData\Roaming\uTorrent\uTorrent.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076491465 2 bytes [49, 76] .text C:\Users\Voltir\AppData\Roaming\uTorrent\uTorrent.exe[3832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764914bb 2 bytes [49, 76] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3716] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[1132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3380] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4308] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076298769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4308] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Program Files (x86)\PANDORA.TV\PanService\KMPProcess.exe[4336] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Program Files (x86)\PANDORA.TV\PanService\KMPProcess.exe[4336] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_http_auth_create_response + 294 000000006ab32c36 4 bytes [24, D9, B9, 68] .text C:\Program Files (x86)\PANDORA.TV\PanService\KMPProcess.exe[4336] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_mp4_read_dec_config_descr + 435 000000006ab37e43 4 bytes [74, 4C, 09, 66] .text C:\Program Files (x86)\PANDORA.TV\PanService\KMPProcess.exe[4336] C:\Program Files (x86)\PANDORA.TV\PanService\avformat-53.dll!ff_nut_add_sp + 70 000000006ab75de6 4 bytes [20, EF, B9, 68] .text C:\Windows\system32\svchost.exe[4752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\Program Files (x86)\outobox\bin\outobox.BrowserAdapter.exe[5028] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[5732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text C:\ProgramData\Battle.net\Agent\Agent.2787\Agent.exe[7380] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text C:\ProgramData\Battle.net\Agent\Agent.2787\Agent.exe[7380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076491465 2 bytes [49, 76] .text C:\ProgramData\Battle.net\Agent\Agent.2787\Agent.exe[7380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764914bb 2 bytes [49, 76] .text ... * 2 .text C:\Windows\system32\conhost.exe[7484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777ceecd 1 byte [62] .text D:\Battle.net\Battle.net.4397\Battle.net.exe[5100] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] .text D:\Battle.net\Battle.net.4397\Battle.net.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076491465 2 bytes [49, 76] .text D:\Battle.net\Battle.net.4397\Battle.net.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000764914bb 2 bytes [49, 76] .text ... * 2 .text C:\Users\Voltir\Downloads\lg2mmwt9.exe[8256] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ba2ba 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3380:4984] 000007fefbaa2a7c ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5E51DD81-72B7-4384-81CD-FCD0AB335989}\offreg.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [4092](2014-04-10 15:39:55) 000007feeee70000 ---- EOF - GMER 2.1 ----