GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-07 12:10:17 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d TOSHIBA_MQ01ABD100 rev.AX001C 931,51GB Running: gmer.exe; Driver: C:\Users\UKASZ~1\AppData\Local\Temp\pgriipob.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb315c3e10 7 bytes JMP 00007ffc312b02d0 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb315c3e20 7 bytes JMP 00007ffc312b0308 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb316739b0 7 bytes JMP 00007ffc312b03b0 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb31673ef0 7 bytes JMP 00007ffc312b0340 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb31673fe0 7 bytes JMP 00007ffc312b0378 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb316a06c0 7 bytes JMP 00007ffc312b0228 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb316a0730 7 bytes JMP 00007ffc312b0298 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffb316a0760 7 bytes JMP 00007ffc312b0260 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffb313121d0 5 bytes JMP 00007ffc312b0180 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffb313129d0 7 bytes JMP 00007ffc312b00d8 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffb31314310 5 bytes JMP 00007ffc312b0110 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffb31318d80 5 bytes JMP 00007ffc312b0148 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffb31436d90 10 bytes JMP 00007ffc312b0490 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffb314474a0 5 bytes JMP 00007ffc312b0458 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffb31447560 1 byte JMP 00007ffc312b03e8 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo + 2 00007ffb31447562 7 bytes {JMP 0xffffffffffe68e88} .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffb31456b10 5 bytes JMP 00007ffc312b0420 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffb31da1500 8 bytes JMP 00007ffc312b01b8 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffb31da1750 8 bytes JMP 00007ffc312b01f0 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffb2e337750 5 bytes JMP 00007ffc2e1b00d8 .text C:\WINDOWS\system32\dwm.exe[948] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffb2e338ee0 5 bytes JMP 00007ffc2e1b0110 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [632:640] fffff960009022d0 Thread C:\Windows\System32\SettingSyncHost.exe [3492:3504] 00007ffb1e7a7090 Thread C:\Windows\System32\SettingSyncHost.exe [3492:5264] 00007ffb2970cba0 ---- Processes - GMER 2.1 ---- Process C:\Users\ (*** suspicious ***) @ C:\Users\ 00007ff732e90000 Process C:\Users\UKASZ~1\AppData\Local\Temp\7zODB58.tmp\gmer.exe (*** suspicious ***) @ C:\Users\UKASZ~1\AppData\Local\Temp\7zODB58.tmp\gmer.exe [4128](2015-08-07 09:59:05) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----