GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-11 20:38:10 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f HGST_HTS541075A9E680 rev.JA2OA5G0 698,64GB Running: jhnmqgsg.exe; Driver: C:\Users\SONY\AppData\Local\Temp\pxldypog.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[3908] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Windows\System32\WUDFHost.exe[3952] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\system32\lpksetup.exe[4068] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\servicing\TrustedInstaller.exe[3448] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17709_none_fa7932f59afc2e40\TiWorker.exe[3240] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe[2532] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1504] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[3812] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\system32\SearchIndexer.exe[2208] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe[3692] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\system32\DllHost.exe[4416] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files (x86)\Sony\VAIO Control Center\SUSSoundProxy.exe[4904] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files\Sony\VAIO Update\vuagent.exe[6124] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4108] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\system32\taskhost.exe[5136] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe[6416] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[6188] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\System32\WinLogon.exe[8712] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb11bf3e10 7 bytes JMP 00007ffc115d02d0 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb11bf3e20 7 bytes JMP 00007ffc115d0308 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb11ca39b0 7 bytes JMP 00007ffc115d03b0 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb11ca3ef0 7 bytes JMP 00007ffc115d0340 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb11ca3fe0 7 bytes JMP 00007ffc115d0378 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb11cd06c0 7 bytes JMP 00007ffc115d0228 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb11cd0730 7 bytes JMP 00007ffc115d0298 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffb11cd0760 7 bytes JMP 00007ffc115d0260 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffb115e21d0 5 bytes JMP 00007ffc115d0180 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffb115e29d0 7 bytes JMP 00007ffc115d00d8 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffb115e4310 5 bytes JMP 00007ffc115d0110 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffb115e8d80 5 bytes JMP 00007ffc115d0148 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffb12516d90 10 bytes JMP 00007ffc115d0490 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffb125274a0 5 bytes JMP 00007ffc115d0458 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffb12527560 1 byte JMP 00007ffc115d03e8 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo + 2 00007ffb12527562 7 bytes {JMP 0xffffffffff0a8e88} .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffb12536b10 5 bytes JMP 00007ffc115d0420 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffb13ea1500 8 bytes JMP 00007ffc115d01b8 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffb13ea1750 8 bytes JMP 00007ffc115d01f0 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory 00007ffb0f6a7750 5 bytes JMP 00007ffc0f5200d8 .text C:\WINDOWS\System32\dwm.exe[7164] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory1 00007ffb0f6a8ee0 5 bytes JMP 00007ffc0f520110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[8780] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\system32\nvvsvc.exe[7032] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[6284] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\system32\taskhostex.exe[8624] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\system32\taskhost.exe[7156] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\Explorer.EXE[6592] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4772] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Windows\System32\RuntimeBroker.exe[8004] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\System32\GWX\GWXUX.exe[7868] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files\Sony\VAIO Care\ESRV\esrv.exe[8036] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\system32\conhost.exe[5168] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Windows\System32\SettingSyncHost.exe[7108] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[6996] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files\WinRAR\WinRAR.exe[1352] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2832] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffb115fef70 5 bytes JMP 00007ffc052b1270 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [7800:2896] fffff960008222d0 ---- Processes - GMER 2.1 ---- Process C:\Users\SONY\AppData\Local\Temp\Rar$EXa0.170\jhnmqgsg.exe (*** suspicious ***) @ C:\Users\SONY\AppData\Local\Temp\Rar$EXa0.170\jhnmqgsg.exe [4204](2015-02-04 12:59:56) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----