GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-29 21:11:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD75 rev.01.0 698,64GB Running: huoliejh.exe; Driver: C:\Users\DOM\AppData\Local\Temp\uxriqpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000164d00 7 bytes [00, 89, F3, FF, C1, 98, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000164d08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000762a1401 2 bytes JMP 762eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000762a1419 2 bytes JMP 762eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000762a1431 2 bytes JMP 76368f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000762a144a 2 bytes CALL 762c489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762a14dd 2 bytes JMP 76368822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762a14f5 2 bytes JMP 763689f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000762a150d 2 bytes JMP 76368718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000762a1525 2 bytes JMP 76368ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000762a153d 2 bytes JMP 762dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000762a1555 2 bytes JMP 762e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000762a156d 2 bytes JMP 76368fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000762a1585 2 bytes JMP 76368b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000762a159d 2 bytes JMP 763686dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762a15b5 2 bytes JMP 762dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762a15cd 2 bytes JMP 762eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762a16b2 2 bytes JMP 76368ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1248] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762a16bd 2 bytes JMP 76368671 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\SysWOW64\WSOCK32.dll!recv + 83 0000000071d117fb 1 byte [71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 89 0000000071d11861 1 byte [71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 99 0000000071d11943 1 byte [71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2680] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 110 0000000071d1194e 1 byte [71] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000762c1efe 7 bytes JMP 0000000171da3df0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000762c5b9d 7 bytes JMP 0000000171da4100 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000762d13f9 7 bytes JMP 0000000171da3f30 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000762dea45 7 bytes JMP 0000000171da3de0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076368ea4 7 bytes JMP 0000000171da3b50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076368f29 5 bytes JMP 0000000171da3c00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076369281 5 bytes JMP 0000000171da3b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076761d29 5 bytes JMP 0000000171da3ae0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076761dd7 5 bytes JMP 0000000171da3a90 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076762ab1 5 bytes JMP 0000000100962dcc .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076762d1d 5 bytes JMP 0000000171da3870 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075f38a29 5 bytes JMP 0000000171da3350 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075f44572 5 bytes JMP 0000000171da37f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075f5e567 5 bytes JMP 0000000171da3860 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075f807d7 5 bytes JMP 0000000171da3280 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075f97a5c 5 bytes JMP 0000000171da37e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000776ce96b 5 bytes JMP 0000000171da33c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000776ceba5 5 bytes JMP 0000000171da33d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076875ea5 5 bytes JMP 0000000171da3300 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3532] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000768a9d0b 5 bytes JMP 0000000171da3290 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000762c1efe 7 bytes JMP 0000000171da3df0 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000762c5b9d 7 bytes JMP 0000000171da4100 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000762d13f9 7 bytes JMP 0000000171da3f30 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000762dea45 7 bytes JMP 0000000171da3de0 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076368ea4 7 bytes JMP 0000000171da3b50 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076368f29 5 bytes JMP 0000000171da3c00 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076369281 5 bytes JMP 0000000171da3b60 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076761d29 5 bytes JMP 0000000171da3ae0 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076761dd7 5 bytes JMP 0000000171da3a90 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076762ab1 5 bytes JMP 0000000171da3c10 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076762d1d 5 bytes JMP 0000000171da3870 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075f38a29 5 bytes JMP 0000000171da3350 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075f44572 5 bytes JMP 0000000171da37f0 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075f5e567 5 bytes JMP 0000000171da3860 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075f807d7 5 bytes JMP 0000000171da3280 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075f97a5c 5 bytes JMP 0000000171da37e0 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000776ce96b 5 bytes JMP 0000000171da33c0 .text C:\Program Files (x86)\Skillbrains\lightshot\5.2.1.1\Lightshot.exe[3520] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000776ceba5 5 bytes JMP 0000000171da33d0 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000762c1efe 7 bytes JMP 0000000171da3df0 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000762c5b9d 7 bytes JMP 0000000171da4100 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000762d13f9 7 bytes JMP 0000000171da3f30 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 00000000762dea45 7 bytes JMP 0000000171da3de0 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 0000000076368ea4 7 bytes JMP 0000000171da3b50 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076368f29 5 bytes JMP 0000000171da3c00 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076369281 5 bytes JMP 0000000171da3b60 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076761d29 5 bytes JMP 0000000171da3ae0 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076761dd7 5 bytes JMP 0000000171da3a90 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076762ab1 5 bytes JMP 0000000171da3c10 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076762d1d 5 bytes JMP 0000000171da3870 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000776ce96b 5 bytes JMP 0000000171da33c0 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000776ceba5 5 bytes JMP 0000000171da33d0 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075f38a29 5 bytes JMP 0000000171da3350 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075f44572 5 bytes JMP 0000000171da37f0 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075f5e567 5 bytes JMP 0000000171da3860 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000075f807d7 5 bytes JMP 0000000171da3280 .text C:\Users\DOM\Desktop\huoliejh.exe[1452] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075f97a5c 5 bytes JMP 0000000171da37e0 ---- EOF - GMER 2.1 ----