GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-03 13:23:49 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000033 ST1000LM014-1EJ164 rev.LVD3 931,51GB Running: 69bppgu9.exe; Driver: C:\Users\Damian\AppData\Local\Temp\kwryaaod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation 00007ff93d163e10 7 bytes JMP 00007ffa3be60260 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNEL32.DLL!RegQueryValueExW 00007ff93d163e20 7 bytes JMP 00007ffa3be60298 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNEL32.DLL!RegSetValueExW 00007ff93d2139b0 7 bytes JMP 00007ffa3be60340 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNEL32.DLL!RegDeleteValueW 00007ff93d213ef0 7 bytes JMP 00007ffa3be602d0 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA 00007ff93d213fe0 7 bytes JMP 00007ffa3be60308 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ff93d2406c0 7 bytes JMP 00007ffa3be601f0 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ff93d240730 3 bytes JMP 00007ffa3be60228 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW + 4 00007ff93d240734 3 bytes [FE, CC, CC] .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 00007ff93be721d0 5 bytes JMP 00007ffa3be60180 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 00007ff93be729d0 7 bytes JMP 00007ffa3be600d8 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 00007ff93be74310 5 bytes JMP 00007ffa3be60110 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 00007ff93be78d80 5 bytes JMP 00007ffa3be60148 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ff93beef0b0 5 bytes JMP 00007ffa3be601b8 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\USER32.dll!CreateWindowExW 00007ff93c556d90 1 byte JMP 00007ffa3be60420 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\USER32.dll!CreateWindowExW + 2 00007ff93c556d92 8 bytes {JMP 0xffffffffff909690} .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW 00007ff93c5674a0 5 bytes JMP 00007ffa3be603e8 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ff93c567560 9 bytes JMP 00007ffa3be60378 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\USER32.dll!ChangeDisplaySettingsExW 00007ff93c567730 5 bytes JMP 00007ffa3be60458 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 00007ff93c576b10 5 bytes JMP 00007ffa3be603b0 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ff93c6e1500 1 byte JMP 00007ffa3be60490 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ff93c6e1502 6 bytes {JMP 0xffffffffff77ef90} .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ff93c6e1750 8 bytes JMP 00007ffa3be604c8 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 00007ff939af7750 5 bytes JMP 00007ffa39ae00d8 .text C:\Windows\system32\dwm.exe[1008] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 00007ff939af8ee0 5 bytes JMP 00007ffa39ae0110 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [656:7092] fffff960008f62d0 Thread C:\Windows\system32\svchost.exe [492:7104] 00007ff925f01050 Thread C:\Windows\system32\svchost.exe [492:5060] 00007ff9236539b0 Thread C:\Windows\System32\SettingSyncHost.exe [5336:2992] 00007ff91b947090 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----