GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-08-21 00:57:36 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Samsung_SSD_840_EVO_120GB rev.EXT0BB6Q 111,79GB Running: jhnmqgsg.exe; Driver: C:\Users\Arek\AppData\Local\Temp\pxldrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076151401 2 bytes JMP 75e2b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076151419 2 bytes JMP 75e2b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076151431 2 bytes JMP 75ea8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007615144a 2 bytes CALL 75e0489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761514dd 2 bytes JMP 75ea88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761514f5 2 bytes JMP 75ea8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007615150d 2 bytes JMP 75ea87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076151525 2 bytes JMP 75ea8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007615153d 2 bytes JMP 75e1fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076151555 2 bytes JMP 75e268ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007615156d 2 bytes JMP 75ea9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076151585 2 bytes JMP 75ea8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007615159d 2 bytes JMP 75ea877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761515b5 2 bytes JMP 75e1fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761515cd 2 bytes JMP 75e2b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761516b2 2 bytes JMP 75ea8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\netcut\services\AIPS.exe[1568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761516bd 2 bytes JMP 75ea8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076151401 2 bytes JMP 75e2b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076151419 2 bytes JMP 75e2b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076151431 2 bytes JMP 75ea8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007615144a 2 bytes CALL 75e0489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761514dd 2 bytes JMP 75ea88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761514f5 2 bytes JMP 75ea8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007615150d 2 bytes JMP 75ea87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076151525 2 bytes JMP 75ea8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007615153d 2 bytes JMP 75e1fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076151555 2 bytes JMP 75e268ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007615156d 2 bytes JMP 75ea9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076151585 2 bytes JMP 75ea8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007615159d 2 bytes JMP 75ea877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761515b5 2 bytes JMP 75e1fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761515cd 2 bytes JMP 75e2b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761516b2 2 bytes JMP 75ea8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe[2148] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761516bd 2 bytes JMP 75ea8713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076151401 2 bytes JMP 75e2b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076151419 2 bytes JMP 75e2b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076151431 2 bytes JMP 75ea8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007615144a 2 bytes CALL 75e0489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000761514dd 2 bytes JMP 75ea88c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000761514f5 2 bytes JMP 75ea8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007615150d 2 bytes JMP 75ea87ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076151525 2 bytes JMP 75ea8b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007615153d 2 bytes JMP 75e1fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076151555 2 bytes JMP 75e268ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007615156d 2 bytes JMP 75ea9089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076151585 2 bytes JMP 75ea8bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007615159d 2 bytes JMP 75ea877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000761515b5 2 bytes JMP 75e1fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000761515cd 2 bytes JMP 75e2b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000761516b2 2 bytes JMP 75ea8f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3600] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000761516bd 2 bytes JMP 75ea8713 C:\Windows\syswow64\kernel32.dll ? C:\Windows\system32\mssprxy.dll [4056] entry point in ".rdata" section 00000000733e71e6 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1224:4140] 000007fef12dd3c8 Thread C:\Windows\system32\svchost.exe [1224:4144] 000007fef12dd3c8 Thread C:\Windows\system32\svchost.exe [1224:4148] 000007fef12dd3c8 Thread C:\Windows\system32\svchost.exe [1224:4152] 000007fef12dd3c8 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2120] 0000000000998e3c Thread C:\Windows\SysWOW64\ntdll.dll [2116:2200] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2256] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2260] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2264] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2268] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2272] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2320] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2340] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2352] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2376] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2600] 000000006fb9a560 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2624] 000000006facbf30 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2740] 000000006f501a10 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2800] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2820] 000000006ec51ce0 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2836] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2860] 0000000070e191f0 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2912] 0000000070e191f0 Thread C:\Windows\SysWOW64\ntdll.dll [2116:1192] 000000006f3db360 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2832] 000000006f3db360 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2828] 000000006f3db360 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2924] 000000006f3db360 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2804] 000000006e6832fb Thread C:\Windows\SysWOW64\ntdll.dll [2116:2772] 0000000075b1e44f Thread C:\Windows\SysWOW64\ntdll.dll [2116:3256] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:3264] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:3276] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:3288] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:3300] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:3424] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:3448] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:3740] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:3624] 0000000071005090 Thread C:\Windows\SysWOW64\ntdll.dll [2116:468] 000000006e36d6bd Thread C:\Windows\SysWOW64\ntdll.dll [2116:1868] 000000006e36d6bd Thread C:\Windows\SysWOW64\ntdll.dll [2116:2024] 000000006e36d6bd Thread C:\Windows\SysWOW64\ntdll.dll [2116:4516] 000000006e36d6bd Thread C:\Windows\SysWOW64\ntdll.dll [2116:3084] 000000006e36d6bd Thread C:\Windows\SysWOW64\ntdll.dll [2116:4256] 000000006f3db360 Thread C:\Windows\SysWOW64\ntdll.dll [2116:4920] 000000006f4f31f0 Thread C:\Windows\SysWOW64\ntdll.dll [2116:2132] 000000006f4f31f0 Thread C:\Windows\SysWOW64\ntdll.dll [2116:4700] 00000000763682cd Thread C:\Windows\SysWOW64\ntdll.dll [2116:3016] 000000006e6162ee Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3952:4196] 000007fefb9d2ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3952:4740] 000007fef81a5124 Thread C:\Windows\System32\svchost.exe [1280:1760] 000007fef2059688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) ---- EOF - GMER 2.1 ----