GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-16 20:29:19 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d ST1000LM024_HN-M101MBB rev.2AR10001 931,51GB Running: 5f2z3vvf.exe; Driver: C:\Users\Jakub\AppData\Local\Temp\pwryipow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffa822a28c0 7 bytes JMP 00007ffb804002d0 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffa822a43d8 7 bytes JMP 00007ffb80400308 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffa82351f20 7 bytes JMP 00007ffb80400378 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffa823540b4 7 bytes JMP 00007ffb804003b0 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffa82354510 7 bytes JMP 00007ffb80400340 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffa82354af0 7 bytes JMP 00007ffb80400260 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffa8237cea0 7 bytes JMP 00007ffb80400228 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffa8237cf10 7 bytes JMP 00007ffb80400298 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffa80412300 7 bytes JMP 00007ffb804000d8 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffa80415770 5 bytes JMP 00007ffb80400180 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffa80415860 5 bytes JMP 00007ffb80400148 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffa80415a30 5 bytes JMP 00007ffb80400110 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffa8207b6f4 10 bytes JMP 00007ffb80400490 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffa820845d8 5 bytes JMP 00007ffb80400458 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffa82084750 9 bytes JMP 00007ffb804003e8 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffa82094fc0 5 bytes JMP 00007ffb80400420 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffa82ca1500 8 bytes JMP 00007ffb804001b8 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffa82ca1750 8 bytes JMP 00007ffb804001f0 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffa7d697c28 5 bytes JMP 00007ffb7d680110 .text C:\WINDOWS\system32\dwm.exe[5864] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffa7d6a4b84 5 bytes JMP 00007ffb7d6800d8 .text C:\WINDOWS\system32\nvvsvc.exe[1452] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa82c1169a 4 bytes [C1, 82, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[1452] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa82c116a2 4 bytes [C1, 82, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[1452] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa82c1181a 4 bytes [C1, 82, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[1452] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa82c11832 4 bytes [C1, 82, FA, 7F] .text C:\WINDOWS\Explorer.EXE[5764] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa82c1169a 4 bytes [C1, 82, FA, 7F] .text C:\WINDOWS\Explorer.EXE[5764] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa82c116a2 4 bytes [C1, 82, FA, 7F] .text C:\WINDOWS\Explorer.EXE[5764] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa82c1181a 4 bytes [C1, 82, FA, 7F] .text C:\WINDOWS\Explorer.EXE[5764] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa82c11832 4 bytes [C1, 82, FA, 7F] .text C:\Windows\System32\igfxpers.exe[5736] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa82c1169a 4 bytes [C1, 82, FA, 7F] .text C:\Windows\System32\igfxpers.exe[5736] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa82c116a2 4 bytes [C1, 82, FA, 7F] .text C:\Windows\System32\igfxpers.exe[5736] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa82c1181a 4 bytes [C1, 82, FA, 7F] .text C:\Windows\System32\igfxpers.exe[5736] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa82c11832 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Greenshot\Greenshot.exe[6452] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa82c1169a 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Greenshot\Greenshot.exe[6452] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa82c116a2 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Greenshot\Greenshot.exe[6452] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa82c1181a 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Greenshot\Greenshot.exe[6452] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa82c11832 4 bytes [C1, 82, FA, 7F] .text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[4760] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa82c1169a 4 bytes [C1, 82, FA, 7F] .text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[4760] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa82c116a2 4 bytes [C1, 82, FA, 7F] .text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[4760] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa82c1181a 4 bytes [C1, 82, FA, 7F] .text C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe[4760] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa82c11832 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2440] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa82c1169a 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2440] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa82c116a2 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2440] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa82c1181a 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2440] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa82c11832 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2440] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffa771f1f6a 4 bytes [1F, 77, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2440] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffa771f1f82 4 bytes [1F, 77, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[7072] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa82c1169a 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[7072] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa82c116a2 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[7072] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa82c1181a 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[7072] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa82c11832 4 bytes [C1, 82, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[7072] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffa771f1f6a 4 bytes [1F, 77, FA, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[7072] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffa771f1f82 4 bytes [1F, 77, FA, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [5756:1080] fffff9600091cb90 Thread C:\WINDOWS\system32\csrss.exe [5756:5124] fffff9600091cb90 ---- Processes - GMER 2.1 ---- Process C:\Users\Jakub\AppData\Local\WebPlayer\FLV Player\WebPlayer.exe (*** suspicious ***) @ C:\Users\Jakub\AppData\Local\WebPlayer\FLV Player\WebPlayer.exe [1808](2012-10-26 06:49:04) 0000000000270000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----