GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-17 01:30:30 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000LM024_HN-M101MBB rev.2AR10001 931,51GB Running: ozk30s98.exe; Driver: C:\Users\httrh\AppData\Local\Temp\kwddikoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000774fa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077503f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007751ffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007752f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077559a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775694c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077569630 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000775887e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff2e7490 11 bytes JMP 000007fffd4e0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1288] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff2fbf00 7 bytes JMP 000007fffd4e0260 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd4f2db0 5 bytes JMP 000007fffd4e0180 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4f37d0 7 bytes JMP 000007fffd4e00d8 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd4f8ef0 6 bytes JMP 000007fffd4e0148 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd50af60 5 bytes JMP 000007fffd4e0110 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff9189f0 8 bytes JMP 000007fffd4e01f0 .text C:\Windows\system32\Dwm.exe[1724] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff91be50 8 bytes JMP 000007fffd4e01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000774fa400 7 bytes JMP 000000016fff0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077503f20 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007751ffb0 5 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007752f2e0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077559a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000775694c0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 0000000077569630 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000775887e0 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd4f2db0 5 bytes JMP 000007fffd4d0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd4f37d0 7 bytes JMP 000007fffd4d00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd4f8ef0 6 bytes JMP 000007fffd4d0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd50af60 5 bytes JMP 000007fffd4d0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff9189f0 8 bytes JMP 000007fffd4d01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3044] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff91be50 8 bytes JMP 000007fffd4d01b8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1244] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076971f0e 7 bytes JMP 0000000174461695 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1244] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076975bad 7 bytes JMP 00000001744611a9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1244] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076981409 7 bytes JMP 000000017446128a .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1244] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007698ea45 7 bytes JMP 0000000174461244 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1244] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007699b21b 5 bytes JMP 00000001744615aa .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1244] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076a18e24 7 bytes JMP 0000000174461339 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1244] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076a18ea9 5 bytes JMP 00000001744616d6 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1244] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076a191ff 5 bytes JMP 000000017446170d .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076971f0e 7 bytes JMP 0000000174461695 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000076975bad 7 bytes JMP 00000001744611a9 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076981409 7 bytes JMP 000000017446128a .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007698ea45 7 bytes JMP 0000000174461244 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007699b21b 5 bytes JMP 00000001744615aa .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076a18e24 7 bytes JMP 0000000174461339 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076a18ea9 5 bytes JMP 00000001744616d6 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076a191ff 5 bytes JMP 000000017446170d .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076d31d29 5 bytes JMP 00000001744611c2 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076d31dd7 5 bytes JMP 0000000174461014 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076d32ab1 5 bytes JMP 0000000174461555 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076d32d17 5 bytes JMP 0000000174461271 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f7e96b 5 bytes JMP 00000001744615c3 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f7eba5 5 bytes JMP 0000000174461186 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075728a29 5 bytes JMP 0000000174461726 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075734572 5 bytes JMP 00000001744610a0 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007574e567 5 bytes JMP 0000000174461415 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075787a5c 5 bytes JMP 00000001744615d2 .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076d85ea5 5 bytes JMP 00000001744615fa .text C:\Users\httrh\Downloads\ozk30s98.exe[2076] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076db9d0b 5 bytes JMP 000000017446121c ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff880043d5558] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9015C81C-FD18-4116-AFF6-E6A729C4EFC2}\Connection@Name isatap.{9C3DD6B9-6E68-4CDB-84B5-DBD47B52834D} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{5EEF84DB-3EF7-465F-9B21-4C385ACFFB56}?\Device\{CA9D82F6-908C-415D-B149-E9DCBB2233B1}?\Device\{5B49E852-75D3-4DA0-B59B-53219CE45157}?\Device\{9015C81C-FD18-4116-AFF6-E6A729C4EFC2}?\Device\{AC2227E9-359F-4B24-BAEF-2C10174D4079}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{5EEF84DB-3EF7-465F-9B21-4C385ACFFB56}"?"{CA9D82F6-908C-415D-B149-E9DCBB2233B1}"?"{5B49E852-75D3-4DA0-B59B-53219CE45157}"?"{9015C81C-FD18-4116-AFF6-E6A729C4EFC2}"?"{AC2227E9-359F-4B24-BAEF-2C10174D4079}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{5EEF84DB-3EF7-465F-9B21-4C385ACFFB56}?\Device\TCPIP6TUNNEL_{CA9D82F6-908C-415D-B149-E9DCBB2233B1}?\Device\TCPIP6TUNNEL_{5B49E852-75D3-4DA0-B59B-53219CE45157}?\Device\TCPIP6TUNNEL_{9015C81C-FD18-4116-AFF6-E6A729C4EFC2}?\Device\TCPIP6TUNNEL_{AC2227E9-359F-4B24-BAEF-2C10174D4079}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\2cd05a4d80a6 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9015C81C-FD18-4116-AFF6-E6A729C4EFC2}@InterfaceName isatap.{9C3DD6B9-6E68-4CDB-84B5-DBD47B52834D} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9015C81C-FD18-4116-AFF6-E6A729C4EFC2}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\2cd05a4d80a6 (not active ControlSet) ---- EOF - GMER 2.1 ----