GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-21 18:28:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK5056GSY rev.LH003D 465,76GB Running: t4plimtg.exe; Driver: C:\Users\E6420\AppData\Local\Temp\pxldapod.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000e5900 7 bytes [40, 4C, F3, FF, 01, 56, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e5908 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076441401 2 bytes JMP 7716b233 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076441419 2 bytes JMP 7716b35e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076441431 2 bytes JMP 771e9149 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007644144a 2 bytes CALL 77144885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000764414dd 2 bytes JMP 771e8a42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000764414f5 2 bytes JMP 771e8c18 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007644150d 2 bytes JMP 771e8938 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076441525 2 bytes JMP 771e8d02 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007644153d 2 bytes JMP 7715fcc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076441555 2 bytes JMP 77166907 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007644156d 2 bytes JMP 771e9201 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076441585 2 bytes JMP 771e8d62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007644159d 2 bytes JMP 771e88fc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000764415b5 2 bytes JMP 7715fd59 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000764415cd 2 bytes JMP 7716b2f4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000764416b2 2 bytes JMP 771e90c4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2212] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000764416bd 2 bytes JMP 771e8891 C:\Windows\syswow64\KERNEL32.dll ? C:\Windows\system32\mssprxy.dll [2052] entry point in ".rdata" section 0000000066a671e6 .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076441401 2 bytes JMP 7716b233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076441419 2 bytes JMP 7716b35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076441431 2 bytes JMP 771e9149 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007644144a 2 bytes CALL 77144885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764414dd 2 bytes JMP 771e8a42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764414f5 2 bytes JMP 771e8c18 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007644150d 2 bytes JMP 771e8938 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076441525 2 bytes JMP 771e8d02 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007644153d 2 bytes JMP 7715fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076441555 2 bytes JMP 77166907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007644156d 2 bytes JMP 771e9201 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076441585 2 bytes JMP 771e8d62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007644159d 2 bytes JMP 771e88fc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764415b5 2 bytes JMP 7715fd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764415cd 2 bytes JMP 7716b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764416b2 2 bytes JMP 771e90c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4368] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764416bd 2 bytes JMP 771e8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076441401 2 bytes JMP 7716b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076441419 2 bytes JMP 7716b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076441431 2 bytes JMP 771e9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007644144a 2 bytes CALL 77144885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764414dd 2 bytes JMP 771e8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764414f5 2 bytes JMP 771e8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007644150d 2 bytes JMP 771e8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076441525 2 bytes JMP 771e8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007644153d 2 bytes JMP 7715fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076441555 2 bytes JMP 77166907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007644156d 2 bytes JMP 771e9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076441585 2 bytes JMP 771e8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007644159d 2 bytes JMP 771e88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764415b5 2 bytes JMP 7715fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764415cd 2 bytes JMP 7716b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764416b2 2 bytes JMP 771e90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5864] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764416bd 2 bytes JMP 771e8891 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3772:5148] 000007fefb662be0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689d5eabc0 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\d0df9a3ff4c8 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689d5eabc0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\d0df9a3ff4c8 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\E6420\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Dołącz podpisy cyfrowe.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Dołącz podpisy cyfrowe.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\E6420\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Menedżer odnośników.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Menedżer odnośników.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\E6420\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Narzędzie transferu licencji \x2014 AutoCAD 2015.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Narzędzie transferu licencji \x2014 AutoCAD 2015.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\E6420\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Przywróć ustawienia domyślne.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Przywróć ustawienia domyślne.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\E6420\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Wsadowy kontroler standardów.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Wsadowy kontroler standardów.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\E6420\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Migracja ustawień niestandardowych\Eksportuj ustawienia programu AutoCAD 2015.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Migracja ustawień niestandardowych\Eksportuj ustawienia programu AutoCAD 2015.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\E6420\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Migracja ustawień niestandardowych\Importuj ustawienia programu AutoCAD 2015.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Migracja ustawień niestandardowych\Importuj ustawienia programu AutoCAD 2015.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\E6420\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Migracja ustawień niestandardowych\Migracja z poprzedniej wersji.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk\AutoCAD 2015 \x2014 Polski (Polish)\Migracja ustawień niestandardowych\Migracja z poprzedniej wersji.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\E6420\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Autodesk\Content Service\Content Service \x2014 konsola konfiguracji.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk\Content Service\Content Service \x2014 konsola konfiguracji.lnk 1 ---- Files - GMER 2.2 ---- File C:\Users\E6420\AppData\Local\Temp\etilqs_yjezByMib1wTeTx 0 bytes File C:\Users\E6420\AppData\Local\Temp\tmpC683.tmp 0 bytes ---- EOF - GMER 2.2 ----