GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-17 23:00:48 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f HGST_HTS541075A9E680 rev.JA2OA5G0 698,64GB Running: 11bjdc0r.exe; Driver: C:\Users\SONY\AppData\Local\Temp\pxldypog.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffc79e43e10 7 bytes JMP 00007ffd77dc02d0 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffc79e43e20 7 bytes JMP 00007ffd77dc0308 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffc79ef39b0 7 bytes JMP 00007ffd77dc03b0 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffc79ef3ef0 7 bytes JMP 00007ffd77dc0340 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffc79ef3fe0 7 bytes JMP 00007ffd77dc0378 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffc79f206c0 7 bytes JMP 00007ffd77dc0228 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffc79f20730 7 bytes JMP 00007ffd77dc0298 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffc79f20760 7 bytes JMP 00007ffd77dc0260 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc77dd21d0 5 bytes JMP 00007ffd77dc0180 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc77dd29d0 7 bytes JMP 00007ffd77dc00d8 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc77dd4310 5 bytes JMP 00007ffd77dc0110 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc77dd8d80 5 bytes JMP 00007ffd77dc0148 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffc797d6d90 10 bytes JMP 00007ffd77dc0490 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffc797e74a0 5 bytes JMP 00007ffd77dc0458 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffc797e7560 1 byte JMP 00007ffd77dc03e8 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo + 2 00007ffc797e7562 7 bytes {JMP 0xfffffffffe5d8e88} .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffc797f6b10 5 bytes JMP 00007ffd77dc0420 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc78141500 8 bytes JMP 00007ffd77dc01b8 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc78141750 8 bytes JMP 00007ffd77dc01f0 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffc75a57750 5 bytes JMP 00007ffd75a400d8 .text C:\WINDOWS\system32\dwm.exe[1168] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffc75a58ee0 5 bytes JMP 00007ffd75a40110 .text C:\WINDOWS\system32\taskhost.exe[3436] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[3748] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\system32\taskhostex.exe[3776] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\system32\taskhost.exe[3840] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Program Files (x86)\Sony\VAIO Control Center\SUSSoundProxy.exe[3848] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4256] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\system32\svchost.exe[4536] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\system32\SearchIndexer.exe[4620] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Windows\System32\WUDFHost.exe[4672] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\system32\lpksetup.exe[4688] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\servicing\TrustedInstaller.exe[4972] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17709_none_fa7932f59afc2e40\TiWorker.exe[2072] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Windows\System32\RuntimeBroker.exe[4816] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Program Files\Sony\VAIO Care\ESRV\esrv.exe[5388] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\system32\conhost.exe[5396] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Program Files\Sony\VAIO Update\vuagent.exe[5868] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe[5928] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[6104] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Windows\System32\skydrive.exe[3740] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[4464] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe[3880] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3156] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3064] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\Windows\System32\SettingSyncHost.exe[5432] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\System32\Taskmgr.exe[5104] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 .text C:\WINDOWS\explorer.exe[1796] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc77deef70 5 bytes JMP 00007ffd6d8a1270 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [316:476] fffff960008fc2d0 Thread C:\WINDOWS\system32\svchost.exe [1912:4788] 00007ffc5f1b4440 Thread C:\WINDOWS\system32\svchost.exe [1912:4800] 00007ffc5f151600 Thread C:\WINDOWS\system32\svchost.exe [1912:4808] 00007ffc5f071b70 Thread C:\WINDOWS\system32\BackgroundTransferHost.exe [5212:5248] 00007ffc79c812c0 Thread C:\WINDOWS\system32\BackgroundTransferHost.exe [5212:5572] 00007ffc6fccbf10 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----