GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-02 12:13:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005c WDC_WD50 rev.05.0 465,76GB Running: 9smuvt5s.exe; Driver: C:\Users\Marek\AppData\Local\Temp\kwddikog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2408] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000764e2ab1 5 bytes JMP 0000000100f331c2 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fede50 5 bytes JMP 0000000176e700a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fedf70 5 bytes JMP 0000000176e70018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fedfd0 5 bytes JMP 0000000176e703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fee050 5 bytes JMP 0000000176e701b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fee0f0 5 bytes JMP 0000000176e70128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fee5a0 5 bytes JMP 0000000176e70238 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fee630 1 byte JMP 0000000176e702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076fee632 3 bytes {JMP 0xffffffffffe81c90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fee6a0 5 bytes JMP 0000000176e70348 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076feeb60 5 bytes JMP 0000000176e70458 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076feebb0 5 bytes JMP 0000000176e704e0 .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fede50 5 bytes JMP 0000000176e700a0 .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fedf70 5 bytes JMP 0000000176e70018 .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fedfd0 5 bytes JMP 0000000176e703d0 .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fee050 5 bytes JMP 0000000176e701b0 .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fee0f0 5 bytes JMP 0000000176e70128 .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fee5a0 5 bytes JMP 0000000176e70238 .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fee630 1 byte JMP 0000000176e702c0 .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076fee632 3 bytes {JMP 0xffffffffffe81c90} .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fee6a0 5 bytes JMP 0000000176e70348 .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076feeb60 5 bytes JMP 0000000176e70458 .text C:\Windows\system32\SearchIndexer.exe[3864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076feebb0 5 bytes JMP 0000000176e704e0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fede50 5 bytes JMP 0000000176e700a0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fedf70 5 bytes JMP 0000000176e70018 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fedfd0 5 bytes JMP 0000000176e703d0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fee050 5 bytes JMP 0000000176e701b0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fee0f0 5 bytes JMP 0000000176e70128 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fee5a0 5 bytes JMP 0000000176e70238 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fee630 1 byte JMP 0000000176e702c0 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076fee632 3 bytes {JMP 0xffffffffffe81c90} .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fee6a0 5 bytes JMP 0000000176e70348 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076feeb60 5 bytes JMP 0000000176e70458 .text C:\Program Files (x86)\AVG\Av\avgnsa.exe[3300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076feebb0 5 bytes JMP 0000000176e704e0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fede50 5 bytes JMP 0000000176e700a0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fedf70 5 bytes JMP 0000000176e70018 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fedfd0 5 bytes JMP 0000000176e703d0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fee050 5 bytes JMP 0000000176e701b0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fee0f0 5 bytes JMP 0000000176e70128 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fee5a0 5 bytes JMP 0000000176e70238 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fee630 1 byte JMP 0000000176e702c0 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076fee632 3 bytes {JMP 0xffffffffffe81c90} .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fee6a0 5 bytes JMP 0000000176e70348 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076feeb60 5 bytes JMP 0000000176e70458 .text C:\Program Files (x86)\AVG\Av\avgemca.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076feebb0 5 bytes JMP 0000000176e704e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fede50 5 bytes JMP 0000000176e700a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fedf70 5 bytes JMP 0000000176e70018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fedfd0 5 bytes JMP 0000000176e703d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fee050 5 bytes JMP 0000000176e701b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fee0f0 5 bytes JMP 0000000176e70128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fee5a0 5 bytes JMP 0000000176e70238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fee630 1 byte JMP 0000000176e702c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076fee632 3 bytes {JMP 0xffffffffffe81c90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fee6a0 5 bytes JMP 0000000176e70348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076feeb60 5 bytes JMP 0000000176e70458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076feebb0 5 bytes JMP 0000000176e704e0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fede50 5 bytes JMP 0000000176e700a0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fedf70 5 bytes JMP 0000000176e70018 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fedfd0 5 bytes JMP 0000000176e703d0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fee050 5 bytes JMP 0000000176e701b0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fee0f0 5 bytes JMP 0000000176e70128 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fee5a0 5 bytes JMP 0000000176e70238 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fee630 1 byte JMP 0000000176e702c0 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076fee632 3 bytes {JMP 0xffffffffffe81c90} .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fee6a0 5 bytes JMP 0000000176e70348 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076feeb60 5 bytes JMP 0000000176e70458 .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe[4552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076feebb0 5 bytes JMP 0000000176e704e0 .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076fede50 5 bytes JMP 0000000176e700a0 .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fedf70 5 bytes JMP 0000000176e70018 .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fedfd0 5 bytes JMP 0000000176e703d0 .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fee050 5 bytes JMP 0000000176e701b0 .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076fee0f0 5 bytes JMP 0000000176e70128 .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fee5a0 5 bytes JMP 0000000176e70238 .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fee630 1 byte JMP 0000000176e702c0 .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076fee632 3 bytes {JMP 0xffffffffffe81c90} .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000076fee6a0 5 bytes JMP 0000000176e70348 .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076feeb60 5 bytes JMP 0000000176e70458 .text C:\Windows\System32\svchost.exe[4300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076feebb0 5 bytes JMP 0000000176e704e0 ---- EOF - GMER 2.1 ----