GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-22 11:22:32 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 TOSHIBA_MQ01ABD075 rev.AX003J 698,64GB Running: 486tgy5m.exe; Driver: C:\Users\OEM\AppData\Local\Temp\pfliiaow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff9600018f600 15 bytes [00, 96, F2, 01, 00, 6A, 6C, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff9600018f610 11 bytes [00, D7, FB, FF, 00, 7B, D1, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffc689f3e10 7 bytes JMP 00007ffd66160260 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffc689f3e20 7 bytes JMP 00007ffd66160298 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffc68aa39b0 7 bytes JMP 00007ffd66160340 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffc68aa3ef0 7 bytes JMP 00007ffd661602d0 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffc68aa3fe0 7 bytes JMP 00007ffd66160308 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffc68ad06c0 7 bytes JMP 00007ffd661601f0 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffc68ad0730 7 bytes JMP 00007ffd66160228 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffc661721d0 5 bytes JMP 00007ffd66160180 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffc661729d0 7 bytes JMP 00007ffd661600d8 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffc66174310 5 bytes JMP 00007ffd66160110 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffc66178d80 5 bytes JMP 00007ffd66160148 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffc661ef0b0 5 bytes JMP 00007ffd661601b8 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffc66876d90 1 byte JMP 00007ffd66160420 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 2 00007ffc66876d92 8 bytes {JMP 0xffffffffff8e9690} .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffc668874a0 5 bytes JMP 00007ffd661603e8 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffc66887560 9 bytes JMP 00007ffd66160378 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffc66887730 5 bytes JMP 00007ffd66160458 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffc66896b10 5 bytes JMP 00007ffd661603b0 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffc66471500 1 byte JMP 00007ffd66160490 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffc66471502 6 bytes {JMP 0xffffffffffceef90} .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffc66471750 8 bytes JMP 00007ffd661604c8 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffc629e7750 5 bytes JMP 00007ffd629d00d8 .text C:\WINDOWS\system32\dwm.exe[928] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffc629e8ee0 5 bytes JMP 00007ffd629d0110 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [616:640] fffff960009a72d0 Thread C:\WINDOWS\Explorer.EXE [1468:4380] 00007ffc53e8e630 Thread C:\WINDOWS\Explorer.EXE [1468:4392] 00007ffc53e8e630 Thread C:\WINDOWS\Explorer.EXE [1468:4048] 00007ffc44e8e630 Thread C:\WINDOWS\Explorer.EXE [1468:4764] 00007ffc4455e630 Thread C:\WINDOWS\Explorer.EXE [1468:6432] 00007ffc444fe630 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [1468] (GG drive overlay/GG Network S.A.)(2015-05-29 19:45:59) 000000005c080000 Library C:\Users\OEM\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [1468] (GG drive menu/GG Network S.A.)(2015-05 000000005ff80000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----