GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-05 16:38:35 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e ST1000LM024_HN-M101MBB rev.2AR10001 931,51GB Running: gmer.exe; Driver: C:\Users\Admin\AppData\Local\Temp\kxtdrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb4c833e10 7 bytes JMP 00007ffc4c1802d0 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb4c833e20 7 bytes JMP 00007ffc4c180308 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb4c8e39b0 7 bytes JMP 00007ffc4c1803b0 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb4c8e3ef0 7 bytes JMP 00007ffc4c180340 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb4c8e3fe0 7 bytes JMP 00007ffc4c180378 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb4c9106c0 7 bytes JMP 00007ffc4c180228 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb4c910730 7 bytes JMP 00007ffc4c180298 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffb4c910760 7 bytes JMP 00007ffc4c180260 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffb4c1921d0 5 bytes JMP 00007ffc4c180180 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffb4c1929d0 7 bytes JMP 00007ffc4c1800d8 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffb4c194310 5 bytes JMP 00007ffc4c180110 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffb4c198900 5 bytes JMP 00007ffc4c180148 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffb4e766d90 10 bytes JMP 00007ffc4c180490 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffb4e7774a0 5 bytes JMP 00007ffc4c180458 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffb4e777560 1 byte JMP 00007ffc4c1803e8 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo + 2 00007ffb4e777562 7 bytes {JMP 0xfffffffffda08e88} .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffb4e786b10 5 bytes JMP 00007ffc4c180420 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffb4e171500 8 bytes JMP 00007ffc4c1801b8 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffb4e171750 8 bytes JMP 00007ffc4c1801f0 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffb49d57750 5 bytes JMP 00007ffc49b900d8 .text C:\WINDOWS\system32\dwm.exe[1372] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffb49d58ee0 5 bytes JMP 00007ffc49b90110 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [1072:1080] fffff960008442d0 Thread C:\WINDOWS\System32\svchost.exe [4280:5084] 00007ffb43737470 Thread C:\WINDOWS\System32\svchost.exe [4280:4080] 00007ffb43737470 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----