GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-26 04:57:19 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f ST1000LM024_HN-M101MBB rev.2AR20002 931,51GB Running: j9ygsz8u.exe; Driver: C:\Users\Visek\AppData\Local\Temp\fxrdypoc.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff960001c4800 15 bytes [C0, BB, ED, 01, 40, 02, 6A, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff960001c4810 11 bytes [00, 7E, FC, FF, 00, A7, B2, ...] ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb8f363e10 7 bytes JMP 00007ffb8f200260 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb8f363e20 7 bytes JMP 00007ffb8f200298 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb8f4139b0 7 bytes JMP 00007ffb8f200340 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb8f413ef0 7 bytes JMP 00007ffb8f2002d0 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb8f413fe0 7 bytes JMP 00007ffb8f200308 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb8f4406c0 7 bytes JMP 00007ffb8f2001f0 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb8f440730 7 bytes JMP 00007ffb8f200228 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffb8f2121d0 5 bytes JMP 00007ffb8f200180 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffb8f2129d0 7 bytes JMP 00007ffb8f2000d8 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffb8f214310 5 bytes JMP 00007ffb8f200110 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffb8f218c40 5 bytes JMP 00007ffb8f200148 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffb8f28eb80 5 bytes JMP 00007ffb8f2001b8 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffb91246d80 10 bytes JMP 00007ffb8f200458 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffb912555c0 5 bytes JMP 00007ffb8f2003e8 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffb91255680 9 bytes JMP 00007ffb8f200378 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffb91255850 5 bytes JMP 00007ffb8f200420 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffb9125b080 5 bytes JMP 00007ffb8f2003b0 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffb91b91500 1 byte JMP 00007ffb8f200490 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffb91b91502 6 bytes {JMP 0xfffffffffd66ef90} .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffb91b91750 8 bytes JMP 00007ffb8f2004c8 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory 00007ffb8c667750 5 bytes JMP 00007ffb8c5c00d8 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory1 00007ffb8c668ee0 5 bytes JMP 00007ffb8c5c0110 .text C:\WINDOWS\System32\dwm.exe[7140] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory2 00007ffb8c66c650 5 bytes JMP 00007ffb8c5c0148 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [844:6216] fffff960008db2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1908585700 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0cd292a4d381 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 8998 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SWOS United\Amiga SWOS.lnk?C:\Program Files (x86)\Amiga SWOS\ASWOS.exe?? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@2 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SWOS United\Amiga SWOS.lnk?C:\Games\Amiga SWOS\ASWOS.exe?? ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----