GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-12 14:21:16 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 TOSHIBA_MQ01ABD075 rev.AX0A4M 698,64GB Running: d53nvs1h.exe; Driver: C:\Users\Kamila\AppData\Local\Temp\uxldypob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000093400 15 bytes [00, 58, F1, 01, C0, 46, 6B, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000093410 11 bytes [00, C5, FB, FF, C0, 46, CA, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ff813bd3e10 7 bytes JMP 00007ff911aa0260 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ff813bd3e20 7 bytes JMP 00007ff911aa0298 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ff813c839b0 7 bytes JMP 00007ff911aa0340 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ff813c83ef0 7 bytes JMP 00007ff911aa02d0 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ff813c83fe0 7 bytes JMP 00007ff911aa0308 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ff813cb06c0 7 bytes JMP 00007ff911aa01f0 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ff813cb0730 7 bytes JMP 00007ff911aa0228 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ff811b021d0 5 bytes JMP 00007ff911aa0180 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ff811b029d0 7 bytes JMP 00007ff911aa00d8 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ff811b04310 5 bytes JMP 00007ff911aa0110 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ff811b08900 5 bytes JMP 00007ff911aa0148 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ff811b7f050 5 bytes JMP 00007ff911aa01b8 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ff813789920 10 bytes JMP 00007ff911aa0458 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ff813794430 5 bytes JMP 00007ff911aa03e8 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ff8137944f0 1 byte JMP 00007ff911aa0378 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo + 2 00007ff8137944f2 7 bytes {JMP 0xfffffffffe30be88} .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ff8137a3b80 5 bytes JMP 00007ff911aa03b0 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ff8137a5cd0 5 bytes JMP 00007ff911aa0420 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ff813fe1500 1 byte JMP 00007ff911aa0490 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ff813fe1502 6 bytes {JMP 0xfffffffffdabef90} .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ff813fe1750 8 bytes JMP 00007ff911aa04c8 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ff80f607750 5 bytes JMP 00007ff90f5f00d8 .text C:\WINDOWS\system32\dwm.exe[840] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ff80f608ee0 5 bytes JMP 00007ff90f5f0110 .text C:\Program Files (x86)\Battle.net\Battle.net.6734\Battle.net.exe[5840] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 000000006feb1003 2 bytes {JMP 0x71} .text C:\Program Files (x86)\Battle.net\Battle.net.6734\Battle.net.exe[5840] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 000000006feb1016 2 bytes {JMP 0x71} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2476] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 000000006feb1003 2 bytes {JMP 0x71} .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2476] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 000000006feb1016 2 bytes {JMP 0x71} ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [532:2012] fffff9600091f2d0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----