GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-08 18:56:59 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 TOSHIBA_MQ01ABD075 rev.AX0A4M 698,64GB Running: jhnmqgsg.exe; Driver: C:\Users\dmxo\AppData\Local\Temp\kxldapog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000174900 15 bytes [00, 57, F4, 01, 40, 8F, 6E, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000174910 11 bytes [00, 41, FC, FF, 00, 79, C7, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffdd9633e10 7 bytes JMP 00007ffed8ef0260 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffdd9633e20 7 bytes JMP 00007ffed8ef0298 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffdd96e39b0 7 bytes JMP 00007ffed8ef0340 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffdd96e3ef0 7 bytes JMP 00007ffed8ef02d0 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffdd96e3fe0 7 bytes JMP 00007ffed8ef0308 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffdd97106c0 7 bytes JMP 00007ffed8ef01f0 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffdd9710730 7 bytes JMP 00007ffed8ef0228 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffdd8f521d0 5 bytes JMP 00007ffed8ef0180 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffdd8f529d0 7 bytes JMP 00007ffed8ef00d8 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffdd8f54310 5 bytes JMP 00007ffed8ef0110 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffdd8f58d80 5 bytes JMP 00007ffed8ef0148 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffdd8fcf0b0 5 bytes JMP 00007ffed8ef01b8 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffdda166d90 1 byte JMP 00007ffed8ef0420 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 2 00007ffdda166d92 8 bytes {JMP 0xfffffffffed89690} .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffdda1774a0 5 bytes JMP 00007ffed8ef03e8 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffdda177560 9 bytes JMP 00007ffed8ef0378 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffdda177730 5 bytes JMP 00007ffed8ef0458 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffdda186b10 5 bytes JMP 00007ffed8ef03b0 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffdd9f41500 1 byte JMP 00007ffed8ef0490 .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffdd9f41502 6 bytes {JMP 0xfffffffffefaef90} .text C:\WINDOWS\System32\dwm.exe[7056] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffdd9f41750 8 bytes JMP 00007ffed8ef04c8 .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[6628] C:\WINDOWS\system32\KERNEL32.DLL!SetUnhandledExceptionFilter + 1 00007ffdd96347d1 11 bytes {MOV RAX, 0x7ffdba3c6dc0; JMP RAX} ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\SysWOW64\rundll32.exe [1744:1936] 000000007e70fc00 Thread C:\WINDOWS\SysWOW64\rundll32.exe [1744:5628] 000000007e71a2d0 Thread C:\WINDOWS\system32\csrss.exe [3328:7696] fffff9600082f2d0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2964] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2964](2013-12-02 17:32:06) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2964](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2964](2013-12-02 17:32:06) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2964](2013-12-02 17:32:06) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2964](201 000000006ed40000 Library C:\Users\dmxo\AppData\Local\JDownloader v2.0\tmp\jna\jna5724545767722744777.dll (*** suspicious ***) @ C:\Users\dmxo\AppData\Local\JDownloader v2.0\JDownloader2.exe [4980] (JNA native library/Java(TM) Native Access (JNA))(2015-06-07 20:53:43) 0000000180000000 Library C:\Users\dmxo\AppData\Local\JDownloader v2.0\tmp\7zip\SevenZipJBinding-FKPz9\libgcc_s_sjlj-1.dll (*** suspicious ***) @ C:\Users\dmxo\AppData\Local\JDownloader v2.0\JDownloader2.exe [4980](2015-06-07 20:54:06) 000000006cec0000 Library C:\Users\dmxo\AppData\Local\JDownloader v2.0\tmp\7zip\SevenZipJBinding-FKPz9\lib7-Zip-JBinding.dll (*** suspicious ***) @ C:\Users\dmxo\AppData\Local\JDownloader v2.0\JDownloader2.exe [4980](2015-06-07 20:54:05) 000000006a2c0000 Process C:\Users\dmxo\AppData\Local\Temp\Rar$EXa0.394\jhnmqgsg.exe (*** suspicious ***) @ C:\Users\dmxo\AppData\Local\Temp\Rar$EXa0.394\jhnmqgsg.exe [6940](2015-02-04 12:59:56) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----