GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-24 18:11:23 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 Hitachi_HTS547575A9E384 rev.JE4OA60A 698,64GB Running: jzdlh3ej.exe; Driver: C:\Users\SAWEK~1\AppData\Local\Temp\pwryipoc.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffc311a3e10 7 bytes JMP 00007ffd300502d0 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffc311a3e20 7 bytes JMP 00007ffd30050308 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffc312539b0 7 bytes JMP 00007ffd300503b0 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffc31253ef0 7 bytes JMP 00007ffd30050340 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffc31253fe0 7 bytes JMP 00007ffd30050378 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffc312806c0 7 bytes JMP 00007ffd30050228 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffc31280730 7 bytes JMP 00007ffd30050298 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffc31280760 7 bytes JMP 00007ffd30050260 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc300b21d0 5 bytes JMP 00007ffd30050180 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc300b29d0 7 bytes JMP 00007ffd300500d8 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc300b4310 5 bytes JMP 00007ffd30050110 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc300b8d80 5 bytes JMP 00007ffd30050148 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffc30f66d90 10 bytes JMP 00007ffd30050490 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffc30f774a0 5 bytes JMP 00007ffd30050458 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffc30f77560 1 byte JMP 00007ffd300503e8 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo + 2 00007ffc30f77562 7 bytes {JMP 0xffffffffff0d8e88} .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffc30f86b10 5 bytes JMP 00007ffd30050420 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc329d1500 8 bytes JMP 00007ffd300501b8 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc329d1750 8 bytes JMP 00007ffd300501f0 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffc2e207750 5 bytes JMP 00007ffd2e1f00d8 .text C:\WINDOWS\system32\dwm.exe[9880] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffc2e208ee0 5 bytes JMP 00007ffd2e1f0110 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNEL32.dll!K32GetModuleInformation 00007ffc311a3e10 7 bytes JMP 00007ffd300303b0 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNEL32.dll!RegQueryValueExW 00007ffc311a3e20 7 bytes JMP 00007ffd300303e8 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNEL32.dll!RegSetValueExW 00007ffc312539b0 7 bytes JMP 00007ffd30030490 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNEL32.dll!RegDeleteValueW 00007ffc31253ef0 7 bytes JMP 00007ffd30030420 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNEL32.dll!RegSetValueExA 00007ffc31253fe0 7 bytes JMP 00007ffd30030458 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNEL32.dll!K32EnumProcessModulesEx 00007ffc312806c0 7 bytes JMP 00007ffd30030308 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNEL32.dll!K32GetMappedFileNameW 00007ffc31280730 7 bytes JMP 00007ffd30030378 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNEL32.dll!K32GetModuleFileNameExW 00007ffc31280760 7 bytes JMP 00007ffd30030340 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc300b21d0 5 bytes JMP 00007ffd30030180 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc300b29d0 7 bytes JMP 00007ffd300300d8 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc300b4310 5 bytes JMP 00007ffd30030110 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc300b8d80 5 bytes JMP 00007ffd30030148 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffc32b6d050 7 bytes JMP 00007ffd30030228 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffc32b9b170 5 bytes JMP 00007ffd30030260 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffc30f66d90 10 bytes JMP 00007ffd30030570 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffc30f774a0 5 bytes JMP 00007ffd30030538 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffc30f77560 9 bytes JMP 00007ffd300304c8 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffc30f86b10 5 bytes JMP 00007ffd30030500 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc329d1500 8 bytes JMP 00007ffd300301b8 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc329d1750 8 bytes JMP 00007ffd300301f0 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\SYSTEM32\d3d9.dll!Direct3DCreate9Ex 00007ffc151fead0 5 bytes JMP 00007ffc300302d0 .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4596] C:\WINDOWS\SYSTEM32\d3d9.dll!Direct3DCreate9 00007ffc1522eb90 6 bytes JMP 00007ffc30030298 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [10076:10044] fffff960008772d0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----