GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-20 13:02:39 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD5000AAJS-00A8B0 rev.01.03B01 465,76GB Running: kib642ng.exe; Driver: C:\Users\admin\AppData\Local\Temp\uwddakob.sys ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BavSvc.exe[1444] C:\Windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 00000000771f9d2a 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BavSvc.exe[1444] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000771fc0a2 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BavSvc.exe[1444] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075dcd03c 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000076ede7b0 6 bytes {JMP QWORD [RIP+0x9141880]} .text C:\Windows\Explorer.EXE[1672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefcffa4c8 3 bytes CALL 450049 .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 00000000771f9d2a 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000771fc0a2 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075dcd03c 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 372 0000000074ee1d26 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076551401 2 bytes JMP 75ddeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076551419 2 bytes JMP 75deb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076551431 2 bytes JMP 75e68609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007655144a 2 bytes CALL 75dc1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000765514dd 2 bytes JMP 75e67efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000765514f5 2 bytes JMP 75e680d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007655150d 2 bytes JMP 75e67df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076551525 2 bytes JMP 75e681c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007655153d 2 bytes JMP 75ddf088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076551555 2 bytes JMP 75deb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007655156d 2 bytes JMP 75e686c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076551585 2 bytes JMP 75e68222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007655159d 2 bytes JMP 75e67db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000765515b5 2 bytes JMP 75ddf121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000765515cd 2 bytes JMP 75deb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000765516b2 2 bytes JMP 75e68584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000765516bd 2 bytes JMP 75e67d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3272] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074ee1bb2 5 bytes JMP 00000000001ff317 .text C:\Program Files (x86)\Baidu-Security-2014-4.4.4.77147\Baidu Antivirus\5.4.3.122701.0\bavhm.exe[3584] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefcffb1d2 3 bytes [2A, 4E, 08] ---- Kernel code sections - GMER 2.2 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\spoolsv.exe [1196:4604] 0000000003ae1d84 Thread C:\Windows\System32\spoolsv.exe [1196:4440] 0000000003b42dac Thread C:\Windows\System32\spoolsv.exe [1196:2396] 0000000003b42dac ---- EOF - GMER 2.2 ----