GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-25 00:54:39 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 WDC_WD10JPVX-80JC3T0 rev.01.01A01 931,51GB Running: _4_z3mhwmu5.exe; Driver: C:\Users\M-KOL_~1.SKI\AppData\Local\Temp\pfldypoc.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffa727628c0 7 bytes JMP 00007ffb706b02d0 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffa727643d8 7 bytes JMP 00007ffb706b0308 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffa72811f20 7 bytes JMP 00007ffb706b0378 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffa728140b4 7 bytes JMP 00007ffb706b03b0 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffa72814510 7 bytes JMP 00007ffb706b0340 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffa72814af0 7 bytes JMP 00007ffb706b0260 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffa7283cea0 7 bytes JMP 00007ffb706b0228 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffa7283cf10 7 bytes JMP 00007ffb706b0298 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffa706c299c 7 bytes JMP 00007ffb706b00d8 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffa706c54c8 5 bytes JMP 00007ffb706b0180 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffa706c55b0 5 bytes JMP 00007ffb706b0148 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffa706c5e58 5 bytes JMP 00007ffb706b0110 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffa70bdb6f4 10 bytes JMP 00007ffb706b0490 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffa70be45e8 5 bytes JMP 00007ffb706b0458 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffa70be4760 1 byte JMP 00007ffb706b03e8 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo + 2 00007ffa70be4762 7 bytes {JMP 0xffffffffffacbc88} .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffa70bf4fc0 5 bytes JMP 00007ffb706b0420 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffa73021500 8 bytes JMP 00007ffb706b01b8 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffa73021750 8 bytes JMP 00007ffb706b01f0 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffa6df07a88 5 bytes JMP 00007ffb6def0110 .text C:\WINDOWS\system32\dwm.exe[284] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffa6df14990 5 bytes JMP 00007ffb6def00d8 .text C:\WINDOWS\system32\nvvsvc.exe[352] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa712a169a 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[352] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa712a16a2 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[352] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa712a181a 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[352] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa712a1832 4 bytes [2A, 71, FA, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1988] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa712a169a 4 bytes [2A, 71, FA, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1988] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa712a16a2 4 bytes [2A, 71, FA, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1988] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa712a181a 4 bytes [2A, 71, FA, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1988] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa712a1832 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\system32\DptfPolicyLpmService.exe[1704] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa712a169a 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\system32\DptfPolicyLpmService.exe[1704] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa712a16a2 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\system32\DptfPolicyLpmService.exe[1704] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa712a181a 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\system32\DptfPolicyLpmService.exe[1704] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa712a1832 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\Explorer.EXE[2812] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffa712a169a 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\Explorer.EXE[2812] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffa712a16a2 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\Explorer.EXE[2812] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffa712a181a 4 bytes [2A, 71, FA, 7F] .text C:\WINDOWS\Explorer.EXE[2812] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffa712a1832 4 bytes [2A, 71, FA, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5536] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffa4f9a1f6a 4 bytes [9A, 4F, FA, 7F] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[5536] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffa4f9a1f82 4 bytes [9A, 4F, FA, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [652:668] fffff96000957b90 Thread [3784:4812] 00007ffa732547e0 Thread [3784:1956] 00007ffa72930310 Thread [3784:4348] 00007ffa5d8c5d40 Thread [3784:664] 00007ffa5d8c1ad0 Thread [3784:1544] 00007ffa5d8c1af0 Thread [3784:6272] 00007ffa5d8c1ae0 Thread [3784:1636] 00007ffa5d8c1b00 Thread [3784:3140] 00007ffa5d8c1b10 Thread [3784:2624] 00007ffa5d8c1b20 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [6800] 000000006a740000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [6800] 0000000063e90000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [6800] 0000000063e40000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----