GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-30 01:24:22 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 HGST_HTS541075A9E680 rev.JA2OA560 698,64GB Running: l98f4h6s.exe; Driver: C:\Users\MIKOAJ~1\AppData\Local\Temp\kwdiruoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff960001f4200 15 bytes [00, 28, F6, 01, 80, 1C, 6C, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff960001f4210 11 bytes [00, 0E, FC, FF, 00, 05, C4, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffd0c0f28c0 7 bytes JMP 00007ffe0a6402d0 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffd0c0f43d8 7 bytes JMP 00007ffe0a640308 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffd0c1a1f20 7 bytes JMP 00007ffe0a640378 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffd0c1a40b4 7 bytes JMP 00007ffe0a6403b0 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffd0c1a4510 7 bytes JMP 00007ffe0a640340 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffd0c1a4af0 7 bytes JMP 00007ffe0a640260 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffd0c1ccea0 7 bytes JMP 00007ffe0a640228 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffd0c1ccf10 7 bytes JMP 00007ffe0a640298 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffd0a65299c 7 bytes JMP 00007ffe0a6400d8 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffd0a6554c8 5 bytes JMP 00007ffe0a640180 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffd0a6555b0 5 bytes JMP 00007ffe0a640148 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffd0a655e58 5 bytes JMP 00007ffe0a640110 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffd0c937834 10 bytes JMP 00007ffe0a640490 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffd0c93b4d0 5 bytes JMP 00007ffe0a640420 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffd0c93c6d8 5 bytes JMP 00007ffe0a640458 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffd0c93e39c 9 bytes JMP 00007ffe0a6403e8 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffd0c4b1500 8 bytes JMP 00007ffe0a6401b8 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffd0c4b1750 8 bytes JMP 00007ffe0a6401f0 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffd07e67a88 5 bytes JMP 00007ffe07c00110 .text C:\WINDOWS\system32\dwm.exe[1008] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffd07e74990 5 bytes JMP 00007ffe07c000d8 .text C:\WINDOWS\system32\nvvsvc.exe[368] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd0cb1169a 4 bytes [B1, 0C, FD, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[368] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd0cb116a2 4 bytes [B1, 0C, FD, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[368] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd0cb1181a 4 bytes [B1, 0C, FD, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[368] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd0cb11832 4 bytes [B1, 0C, FD, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[2716] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd0cb1169a 4 bytes [B1, 0C, FD, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[2716] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd0cb116a2 4 bytes [B1, 0C, FD, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[2716] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd0cb1181a 4 bytes [B1, 0C, FD, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[2716] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd0cb11832 4 bytes [B1, 0C, FD, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[4480] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd0cb1169a 4 bytes [B1, 0C, FD, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[4480] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd0cb116a2 4 bytes [B1, 0C, FD, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[4480] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd0cb1181a 4 bytes [B1, 0C, FD, 7F] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[4480] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd0cb11832 4 bytes [B1, 0C, FD, 7F] .text C:\Windows\System32\igfxpers.exe[5900] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd0cb1169a 4 bytes [B1, 0C, FD, 7F] .text C:\Windows\System32\igfxpers.exe[5900] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd0cb116a2 4 bytes [B1, 0C, FD, 7F] .text C:\Windows\System32\igfxpers.exe[5900] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd0cb1181a 4 bytes [B1, 0C, FD, 7F] .text C:\Windows\System32\igfxpers.exe[5900] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd0cb11832 4 bytes [B1, 0C, FD, 7F] ? C:\Windows\SYSTEM32\BsHelpCSps.dll [5692] entry point in ".data" section 00000000043a5055 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [676:6524] fffff96000965b90 Thread C:\WINDOWS\Explorer.EXE [2064:2932] 00007ffcfb04d73c Thread C:\WINDOWS\Explorer.EXE [2064:5072] 00007ffcfaffd73c Thread C:\WINDOWS\Explorer.EXE [2064:3068] 00007ffcfaffd73c Thread C:\WINDOWS\Explorer.EXE [2064:4320] 00007ffcfaffd73c Thread C:\WINDOWS\Explorer.EXE [2064:6760] 00007ffcfaffd73c Thread C:\WINDOWS\Explorer.EXE [2064:3724] 00007ffcfaffd73c Thread C:\WINDOWS\Explorer.EXE [2064:2172] 00007ffcfaffd73c Thread C:\Windows\System32\SettingSyncHost.exe [4720:2772] 0000000066018558 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----