GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-27 19:13:41 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 HGST_HTS545050A7E380 rev.GG2OAC90 465,76GB Running: 35h9qo15.exe; Driver: C:\Users\lenovo\AppData\Local\Temp\pxryrpod.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ff85111b4e0 10 bytes JMP 00007ff84e240420 .text C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ff851132800 5 bytes JMP 00007ff84e2403b0 .text C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ff851136360 7 bytes JMP 00007ff84e240458 .text C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ff851136540 5 bytes JMP 00007ff84e2403e8 .text C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ff851138700 9 bytes JMP 00007ff84e240378 .text C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ff84b0c5850 5 bytes JMP 00007ff84ac900d8 .text C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ff84b0c59b0 5 bytes JMP 00007ff84ac90110 ? C:\WINDOWS\SYSTEM32\iertutil.dll [2196] entry point in ".rdata" section 000000007228caf0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2196] entry point in ".rdata" section 000000006eb6bb10 ? C:\Windows\System32\iertutil.dll [1900] entry point in ".rdata" section 000000007228caf0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [1088] entry point in ".rdata" section 000000007228caf0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [1088] entry point in ".rdata" section 000000006eb6bb10 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5124] entry point in ".rdata" section 000000007228caf0 ? C:\WINDOWS\system32\apphelp.dll [5728] entry point in ".rdata" section 000000006e960380 ? C:\Windows\SYSTEM32\iertutil.dll [5728] entry point in ".rdata" section 000000007228caf0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5728] entry point in ".rdata" section 000000006eb6bb10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5728] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 000000006b4d1003 2 bytes [4D, 6B] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5728] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 000000006b4d1016 2 bytes [4D, 6B] ? C:\Windows\SYSTEM32\ActXPrxy.dll [5728] entry point in ".rdata" section 000000006defbc40 ? C:\WINDOWS\system32\apphelp.dll [5752] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [5872] entry point in ".rdata" section 000000006e960380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 000000006b4d1003 2 bytes [4D, 6B] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5872] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 000000006b4d1016 2 bytes [4D, 6B] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5872] entry point in ".rdata" section 000000006eb6bb10 ? C:\WINDOWS\system32\apphelp.dll [5940] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [5948] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [5956] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [5964] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [5972] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [5980] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [6084] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [6104] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [6116] entry point in ".rdata" section 000000007228caf0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6116] entry point in ".rdata" section 000000006eb6bb10 .text C:\Program Files (x86)\Steam\Steam.exe[5636] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 000000006b4d1003 2 bytes [4D, 6B] .text C:\Program Files (x86)\Steam\Steam.exe[5636] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 000000006b4d1016 2 bytes [4D, 6B] ? C:\WINDOWS\SYSTEM32\NTASN1.dll [6428] entry point in ".rdata" section 000000006eb6bb10 ? C:\WINDOWS\system32\apphelp.dll [6664] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [6836] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [6196] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [6968] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [6920] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [6904] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [3960] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [3828] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [7560] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [7668] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [7928] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [8188] entry point in ".rdata" section 0000000001070380 ? C:\WINDOWS\system32\apphelp.dll [7532] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [1568] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [4520] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [4176] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [7964] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [1920] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [3420] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [1892] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [8804] entry point in ".rdata" section 000000006e960380 ? C:\WINDOWS\system32\apphelp.dll [6892] entry point in ".rdata" section 000000006e960380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [784:824] fffff960d56f4060 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1882714342 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\606c663c7da4 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c8-d7-19-d7-88-20@ClientLocalPort 63307 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c8-d7-19-d7-88-20@AddressCreationTimestamp 0xAD 0x71 0x31 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c8-d7-19-d7-88-20@TeredoAddress 2001:0:5ef5:79fb:8c9:8b4:b202:af35 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1646 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 99 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xF2 0x85 0x34 0x2C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xF2 0xED 0xF8 0x8D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xF2 0x1D 0x70 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xDA 0xD9 0x37 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xB3 0xB1 0xD1 0xA2 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----