GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-11-04 13:42:16 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 ST1000LM024_HN-M101MBB rev.2AR10002 931,51GB Running: m57g1hli.exe; Driver: C:\Users\arekw77\AppData\Local\Temp\pxldrpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000179e00 15 bytes [00, F1, F6, 01, 40, 8F, 6C, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000179e10 11 bytes [00, 6D, FC, FF, 00, A3, C3, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ff8e95728c0 7 bytes JMP 00007ff9e8d402d0 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ff8e95743d8 7 bytes JMP 00007ff9e8d40308 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ff8e9621f20 7 bytes JMP 00007ff9e8d40378 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ff8e96240b4 7 bytes JMP 00007ff9e8d403b0 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ff8e9624510 7 bytes JMP 00007ff9e8d40340 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ff8e9624af0 7 bytes JMP 00007ff9e8d40260 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ff8e964cea0 7 bytes JMP 00007ff9e8d40228 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ff8e964cf10 7 bytes JMP 00007ff9e8d40298 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ff8e8d5299c 7 bytes JMP 00007ff9e8d400d8 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ff8e8d554c8 5 bytes JMP 00007ff9e8d40180 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ff8e8d555b0 5 bytes JMP 00007ff9e8d40148 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ff8e8d55e58 5 bytes JMP 00007ff9e8d40110 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ff8eb42b6f4 10 bytes JMP 00007ff9e8d40490 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ff8eb4345e8 5 bytes JMP 00007ff9e8d40458 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ff8eb434760 1 byte JMP 00007ff9e8d403e8 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo + 2 00007ff8eb434762 7 bytes {JMP 0xfffffffffd90bc88} .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ff8eb444fc0 5 bytes JMP 00007ff9e8d40420 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ff8eb2d1500 8 bytes JMP 00007ff9e8d401b8 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ff8eb2d1750 8 bytes JMP 00007ff9e8d401f0 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ff8e6867a88 5 bytes JMP 00007ff9e6850110 .text C:\WINDOWS\system32\dwm.exe[700] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ff8e6874990 5 bytes JMP 00007ff9e68500d8 .text C:\WINDOWS\system32\nvvsvc.exe[864] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff8eb0d169a 4 bytes [0D, EB, F8, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[864] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff8eb0d16a2 4 bytes [0D, EB, F8, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[864] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff8eb0d181a 4 bytes [0D, EB, F8, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[864] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff8eb0d1832 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1112] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff8eb0d169a 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1112] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff8eb0d16a2 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1112] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff8eb0d181a 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1112] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff8eb0d1832 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1112] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff8df1a1f6a 4 bytes [1A, DF, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1112] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff8df1a1f82 4 bytes [1A, DF, F8, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2432] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff8eb0d169a 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2432] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff8eb0d16a2 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2432] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff8eb0d181a 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2432] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff8eb0d1832 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2552] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff8eb0d169a 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2552] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff8eb0d16a2 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2552] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff8eb0d181a 4 bytes [0D, EB, F8, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2552] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff8eb0d1832 4 bytes [0D, EB, F8, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1476] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff8eb0d169a 4 bytes [0D, EB, F8, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1476] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff8eb0d16a2 4 bytes [0D, EB, F8, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1476] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff8eb0d181a 4 bytes [0D, EB, F8, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1476] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff8eb0d1832 4 bytes [0D, EB, F8, 7F] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[3876] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff8df1a1f6a 4 bytes [1A, DF, F8, 7F] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[3876] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff8df1a1f82 4 bytes [1A, DF, F8, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [780:2224] fffff960008c7b90 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----