GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-21 20:20:15 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD403LJ rev.CT100-12 372,61GB Running: mub38k1c.exe; Driver: C:\Users\limak\AppData\Local\Temp\kwddqkog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001c1c00 7 bytes [00, 98, F3, FF, 01, A3, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960001c1c08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000075501401 2 bytes JMP 7580eb26 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000075501419 2 bytes JMP 7581b513 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000075501431 2 bytes JMP 75898609 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007550144a 2 bytes CALL 757f1dfa C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000755014dd 2 bytes JMP 75897efe C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000755014f5 2 bytes JMP 758980d8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007550150d 2 bytes JMP 75897df4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000075501525 2 bytes JMP 758981c2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007550153d 2 bytes JMP 7580f088 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000075501555 2 bytes JMP 7581b885 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007550156d 2 bytes JMP 758986c1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000075501585 2 bytes JMP 75898222 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007550159d 2 bytes JMP 75897db8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000755015b5 2 bytes JMP 7580f121 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000755015cd 2 bytes JMP 7581b29f C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000755016b2 2 bytes JMP 75898584 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1612] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000755016bd 2 bytes JMP 75897d4d C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075501401 2 bytes JMP 7580eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075501419 2 bytes JMP 7581b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075501431 2 bytes JMP 75898609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007550144a 2 bytes CALL 757f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755014dd 2 bytes JMP 75897efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755014f5 2 bytes JMP 758980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007550150d 2 bytes JMP 75897df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075501525 2 bytes JMP 758981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007550153d 2 bytes JMP 7580f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075501555 2 bytes JMP 7581b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007550156d 2 bytes JMP 758986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075501585 2 bytes JMP 75898222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007550159d 2 bytes JMP 75897db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755015b5 2 bytes JMP 7580f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755015cd 2 bytes JMP 7581b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755016b2 2 bytes JMP 75898584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbserver.exe[3308] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755016bd 2 bytes JMP 75897d4d C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3844:3840] 000007fefb462a74 ---- Processes - GMER 2.1 ---- Library C:\Users\limak\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\Ontology.dll (*** suspicious ***) @ C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [3936] (Application Ontology library/NVIDIA Corporation)(2015-04-20 14:41:54) 0000000074270000 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8FE41802-33AC-868A-8BC5-9593626A2110} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8FE41802-33AC-868A-8BC5-9593626A2110}@palegkfcfmjnfepdlobgomincbbghgml 0x6A 0x61 0x68 0x68 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8FE41802-33AC-868A-8BC5-9593626A2110}@oafeaacfplgagbndjijcmkjjhidjjh 0x6A 0x61 0x68 0x68 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A7ECF1F9-39C4-B1E4-E389-04BB8E4349F5} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A7ECF1F9-39C4-B1E4-E389-04BB8E4349F5}@ianngffcleknclcnoh 0x6B 0x61 0x6D 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A7ECF1F9-39C4-B1E4-E389-04BB8E4349F5}@hadbaldfpfphmcdh 0x6B 0x61 0x6D 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A7ECF1F9-39C4-B1E4-E389-04BB8E4349F5}@iajokgalngjdloojkk 0x63 0x61 0x6A 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A7ECF1F9-39C4-B1E4-E389-04BB8E4349F5}@dbabieaofcphfkkkfoiapbmifapkinmhdlpjnnjc 0x68 0x61 0x65 0x70 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A7ECF1F9-39C4-B1E4-E389-04BB8E4349F5}@jbabieaofcphfkkkfoiamclmbgahbaonpilbkeccicnaapeikbpo 0x68 0x61 0x65 0x70 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A7ECF1F9-39C4-B1E4-E389-04BB8E4349F5}@dbabieaofcphfkkkfoiagdlfbogipfgbhanlpdfi 0x62 0x61 0x64 0x64 ... ---- Files - GMER 2.1 ---- File C:\Users\limak\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95NVZB84\2[1] 0 bytes File C:\Users\limak\AppData\Roaming\Microsoft\Windows\Cookies\limak@hit.gemius[1].txt 158 bytes ---- EOF - GMER 2.1 ----