GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-24 18:36:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC44 465,76GB Running: h9mzvkt1.exe; Driver: C:\Users\Adrian\AppData\Local\Temp\uxlorpod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003404000 63 bytes [6B, 02, 8B, 57, 68, 8B, CA, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 592 fffff80003404040 96 bytes {MOV [RDI], R14; MOV DWORD [RDI+0x68], 0x805040; MOV [RSP+0x40], SIL; MOV EBX, [RSP+0x44]; JMP 0x714} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\system32\services.exe[664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[912] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[936] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074d2a2fd 1 byte [62] .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[780] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1308] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1752] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074d2a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1780] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074d2a2fd 1 byte [62] .text C:\Program Files (x86)\EMET 5.0\EMET_Service.exe[1896] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe[2064] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074d2a2fd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2184] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2252] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074d2a2fd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2252] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000747c1a22 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2252] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000747c1ad0 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2252] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000747c1b08 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2252] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000747c1bba 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2252] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000747c1bda 2 bytes [7C, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756d1465 2 bytes [6D, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756d14bb 2 bytes [6D, 75] .text ... * 2 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[2564] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074d2a2fd 1 byte [62] .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[2564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000756d1465 2 bytes [6D, 75] .text C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZaPrivacyService.exe[2564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756d14bb 2 bytes [6D, 75] .text ... * 2 .text C:\Windows\Explorer.EXE[3528] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[3816] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\system32\taskhost.exe[3836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\system32\conhost.exe[3940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[1268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cdef8d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3804] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074d08791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3804] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074d2a2fd 1 byte [62] .text C:\Users\Adrian\Desktop\h9mzvkt1.exe[2332] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074d2a2fd 1 byte [62] ---- EOF - GMER 2.1 ----