GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-12 18:54:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 SAMSUNG_HD103SJ rev.1AJ100E5 931,51GB Running: t8opb5u0.exe; Driver: C:\Users\Tommy\AppData\Local\Temp\kwlyipog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076651401 2 bytes JMP 776fb20b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076651419 2 bytes JMP 776fb336 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076651431 2 bytes JMP 77778f39 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007665144a 2 bytes CALL 776d4885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766514dd 2 bytes JMP 77778832 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766514f5 2 bytes JMP 77778a08 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007665150d 2 bytes JMP 77778728 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076651525 2 bytes JMP 77778af2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007665153d 2 bytes JMP 776efc98 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076651555 2 bytes JMP 776f68df C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007665156d 2 bytes JMP 77778ff1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076651585 2 bytes JMP 77778b52 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007665159d 2 bytes JMP 777786ec C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766515b5 2 bytes JMP 776efd31 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766515cd 2 bytes JMP 776fb2cc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766516b2 2 bytes JMP 77778eb4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766516bd 2 bytes JMP 77778681 C:\Windows\syswow64\KERNEL32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076651401 2 bytes JMP 776fb20b C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076651419 2 bytes JMP 776fb336 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076651431 2 bytes JMP 77778f39 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007665144a 2 bytes CALL 776d4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766514dd 2 bytes JMP 77778832 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766514f5 2 bytes JMP 77778a08 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007665150d 2 bytes JMP 77778728 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076651525 2 bytes JMP 77778af2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007665153d 2 bytes JMP 776efc98 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076651555 2 bytes JMP 776f68df C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007665156d 2 bytes JMP 77778ff1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076651585 2 bytes JMP 77778b52 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007665159d 2 bytes JMP 777786ec C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766515b5 2 bytes JMP 776efd31 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766515cd 2 bytes JMP 776fb2cc C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766516b2 2 bytes JMP 77778eb4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Tommy\AppData\Roaming\TSv\TSvr.exe[2056] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766516bd 2 bytes JMP 77778681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076651401 2 bytes JMP 776fb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076651419 2 bytes JMP 776fb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076651431 2 bytes JMP 77778f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007665144a 2 bytes CALL 776d4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766514dd 2 bytes JMP 77778832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766514f5 2 bytes JMP 77778a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007665150d 2 bytes JMP 77778728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076651525 2 bytes JMP 77778af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007665153d 2 bytes JMP 776efc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076651555 2 bytes JMP 776f68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007665156d 2 bytes JMP 77778ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076651585 2 bytes JMP 77778b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007665159d 2 bytes JMP 777786ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766515b5 2 bytes JMP 776efd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766515cd 2 bytes JMP 776fb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766516b2 2 bytes JMP 77778eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SFK\SSFK.exe[2360] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766516bd 2 bytes JMP 77778681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Explorer.EXE[3108] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778f0670 5 bytes JMP 0000000102a20018 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076651401 2 bytes JMP 776fb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076651419 2 bytes JMP 776fb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076651431 2 bytes JMP 77778f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007665144a 2 bytes CALL 776d4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000766514dd 2 bytes JMP 77778832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000766514f5 2 bytes JMP 77778a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007665150d 2 bytes JMP 77778728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076651525 2 bytes JMP 77778af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007665153d 2 bytes JMP 776efc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076651555 2 bytes JMP 776f68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007665156d 2 bytes JMP 77778ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076651585 2 bytes JMP 77778b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007665159d 2 bytes JMP 777786ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000766515b5 2 bytes JMP 776efd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000766515cd 2 bytes JMP 776fb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000766516b2 2 bytes JMP 77778eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[1628] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000766516bd 2 bytes JMP 77778681 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread [772:788] 000007fefde3a808 Thread [772:792] 0000000077a0a810 Thread [772:932] 000000000089d670 Thread [772:936] 000000000089d680 Thread [772:940] 000000000089d680 Thread [772:944] 000000000089d680 Thread [772:948] 000000000089d680 Thread [772:952] 000000000089d680 Thread [772:956] 000000000089d680 Thread [772:960] 000000000089d6c0 Thread [772:1436] 000007fefa664b00 Thread [772:1440] 000007fefa6643a0 Thread [772:1444] 000007fefa6645c0 Thread [772:1448] 000007fefa6646c0 Thread [772:1452] 000007fefa6646c0 Thread [772:1456] 000007fefa6646c0 Thread [772:1460] 000007fefa6646c0 Thread [772:1464] 000007fefa6646c0 Thread [772:1468] 000007fefa6646c0 Thread [772:1472] 000007fefa6646c0 Thread [772:1476] 000007fefa6646c0 Thread [772:1480] 000007fefa664830 Thread [772:1484] 0000000003139aa0 Thread [772:1488] 00000000031366c0 Thread [772:1492] 00000000031345d0 Thread [772:1496] 00000000031345d0 Thread [772:1500] 0000000003135d90 Thread [772:1504] 000007fefa5c5c90 Thread [772:1508] 000007fefc5c88c0 Thread [772:1512] 000007fefc5c8fa0 Thread [772:1576] 000007fefa3e9420 Thread [772:1592] 0000000077a0f470 Thread [772:1640] 000007fefc7897c0 Thread [772:1648] 000007fefa2429d0 Thread [772:1652] 000007fefa2a81b0 Thread [772:1656] 000007fefa2a81b0 Thread [772:1660] 000007fefa2a81b0 Thread [772:1664] 000007fefa2a81b0 Thread [772:1668] 000007fefa2a81b0 Thread [772:1672] 000007fefa2a81b0 Thread [772:1676] 000007fefa2a81b0 Thread [772:1680] 000007fefa2a81b0 Thread [772:1684] 00000000054a2650 Thread [772:1688] 00000000054a1f30 Thread [772:1692] 00000000054a1f30 Thread [772:1696] 00000000054a1f30 Thread [772:1700] 00000000054a1f30 Thread [772:1704] 00000000054a1f30 Thread [772:1708] 00000000054a1f30 Thread [772:1712] 00000000054a1f30 Thread [772:1716] 00000000054a1f30 Thread [772:2776] 0000000077a0f470 Thread [772:4672] 000007feff110168 Thread [772:3136] 0000000077a0f470 Thread [772:3580] 000007fef7b65c90 Thread [772:5028] 000007fef7b787e0 Thread [772:2232] 0000000077a0f470 Thread [772:4380] 0000000077a0f470 Thread [772:3656] 0000000077a0f470 Thread [772:4744] 0000000077a0f470 ---- EOF - GMER 2.1 ----