GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-03 20:40:03 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000028 ST750LM022_HN-M750MBB rev.2AR10002 698,64GB Running: gmer.exe; Driver: C:\Users\Robert\AppData\Local\Temp\pxldqpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000130200 15 bytes [00, 65, F4, 01, 80, 7D, 6A, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 17 fffff96000130211 10 bytes [F3, FB, FF, 00, 17, C7, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\atiesrxx.exe[996] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffdb46b169a 4 bytes [6B, B4, FD, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[996] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffdb46b16a2 4 bytes [6B, B4, FD, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[996] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffdb46b181a 4 bytes [6B, B4, FD, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[996] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffdb46b1832 4 bytes [6B, B4, FD, 7F] .text C:\WINDOWS\system32\atieclxx.exe[900] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffdb46b169a 4 bytes [6B, B4, FD, 7F] .text C:\WINDOWS\system32\atieclxx.exe[900] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffdb46b16a2 4 bytes [6B, B4, FD, 7F] .text C:\WINDOWS\system32\atieclxx.exe[900] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffdb46b181a 4 bytes [6B, B4, FD, 7F] .text C:\WINDOWS\system32\atieclxx.exe[900] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffdb46b1832 4 bytes [6B, B4, FD, 7F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3952] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffdb46b169a 4 bytes [6B, B4, FD, 7F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3952] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffdb46b16a2 4 bytes [6B, B4, FD, 7F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3952] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffdb46b181a 4 bytes [6B, B4, FD, 7F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3952] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffdb46b1832 4 bytes [6B, B4, FD, 7F] ? C:\Windows\SYSTEM32\BsHelpCSps.dll [2272] entry point in ".data" section 0000000003c15055 .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4184] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffdb46b169a 4 bytes [6B, B4, FD, 7F] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4184] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffdb46b16a2 4 bytes [6B, B4, FD, 7F] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4184] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffdb46b181a 4 bytes [6B, B4, FD, 7F] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4184] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffdb46b1832 4 bytes [6B, B4, FD, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1484] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffd9abf1f6a 4 bytes [BF, 9A, FD, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1484] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffd9abf1f82 4 bytes [BF, 9A, FD, 7F] .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffdb52f0e80 5 bytes JMP 00007ffe35420460 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffdb52f0ed0 5 bytes JMP 00007ffe35420450 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffdb52f1030 5 bytes JMP 00007ffe35420370 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffdb52f1080 5 bytes JMP 00007ffe35420470 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffdb52f1090 5 bytes JMP 00007ffe354203e0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffdb52f1140 5 bytes JMP 00007ffe35420320 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffdb52f1170 5 bytes JMP 00007ffe354203b0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffdb52f1190 5 bytes JMP 00007ffe35420390 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffdb52f11d0 5 bytes JMP 00007ffe354202e0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffdb52f1250 5 bytes JMP 00007ffe354202d0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffdb52f1270 5 bytes JMP 00007ffe35420310 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffdb52f12b0 5 bytes JMP 00007ffe354203c0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffdb52f1300 5 bytes JMP 00007ffe354203f0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffdb52f1460 5 bytes JMP 00007ffe35420230 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffdb52f1650 5 bytes JMP 00007ffe35420480 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffdb52f1680 5 bytes JMP 00007ffe354203a0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffdb52f17a0 5 bytes JMP 00007ffe354202f0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffdb52f17c0 1 byte JMP 00007ffe35420350 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00007ffdb52f17c2 3 bytes {JMP 0x14} .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffdb52f1830 5 bytes JMP 00007ffe35420290 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffdb52f18c0 5 bytes JMP 00007ffe354202b0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffdb52f18e0 5 bytes JMP 00007ffe354203d0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffdb52f18f0 5 bytes JMP 00007ffe35420330 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffdb52f19a0 5 bytes JMP 00007ffe35420410 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffdb52f19d0 5 bytes JMP 00007ffe35420240 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffdb52f1cf0 5 bytes JMP 00007ffe354201e0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffdb52f1db0 5 bytes JMP 00007ffe35420250 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffdb52f1de0 5 bytes JMP 00007ffe35420490 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffdb52f1df0 5 bytes JMP 00007ffe354204a0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffdb52f1e20 5 bytes JMP 00007ffe35420300 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffdb52f1e30 5 bytes JMP 00007ffe35420360 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffdb52f1e90 5 bytes JMP 00007ffe354202a0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffdb52f1ee0 5 bytes JMP 00007ffe354202c0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffdb52f1f10 5 bytes JMP 00007ffe35420380 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffdb52f1f20 5 bytes JMP 00007ffe35420340 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffdb52f2230 5 bytes JMP 00007ffe35420440 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffdb52f2430 5 bytes JMP 00007ffe35420260 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffdb52f2440 5 bytes JMP 00007ffe35420270 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffdb52f2460 5 bytes JMP 00007ffe35420400 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffdb52f2640 5 bytes JMP 00007ffe354201f0 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffdb52f2650 5 bytes JMP 00007ffe35420210 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffdb52f26e0 5 bytes JMP 00007ffe35420200 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffdb52f2750 5 bytes JMP 00007ffe35420420 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffdb52f2760 5 bytes JMP 00007ffe35420430 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffdb52f2770 5 bytes JMP 00007ffe35420220 .text C:\WINDOWS\system32\AUDIODG.EXE[6044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffdb52f2880 5 bytes JMP 00007ffe35420280 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [656:680] fffff960008fcb90 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----