GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-10 12:32:46 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003c ST1000LM014-1EJ164 rev.SM28 931,51GB Running: 3h3h9z1j.exe; Driver: C:\Users\Puszczyk\AppData\Local\Temp\pwtyipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[824] C:\Windows\system32\KERNEL32.DLL!SetUnhandledExceptionFilter 00007ffd91b6912c 4 bytes [C3, 00, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[824] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffd90fb169a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[824] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffd90fb16a2 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[824] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ffd90fb181a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[824] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ffd90fb1832 4 bytes [FB, 90, FD, 7F] .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffd91b628a0 7 bytes JMP 00007ffe8f600260 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNEL32.DLL!RegQueryValueExW 00007ffd91b643b8 7 bytes JMP 00007ffe8f600298 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA 00007ffd91c11f00 7 bytes JMP 00007ffe8f600308 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNEL32.DLL!RegSetValueExW 00007ffd91c14094 7 bytes JMP 00007ffe8f600340 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNEL32.DLL!RegDeleteValueW 00007ffd91c144f0 7 bytes JMP 00007ffe8f6002d0 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffd91c3ce0c 7 bytes JMP 00007ffe8f6001f0 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffd91c3ce7c 7 bytes JMP 00007ffe8f600228 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 00007ffd8f612a80 7 bytes JMP 00007ffe8f6000d8 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 00007ffd8f615fc0 5 bytes JMP 00007ffe8f600180 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 00007ffd8f6160b0 5 bytes JMP 00007ffe8f600148 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffd8f616750 5 bytes JMP 00007ffe8f600110 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameExW 00007ffd8f68a200 5 bytes JMP 00007ffe8f6001b8 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\USER32.dll!CreateWindowExW 00007ffd9151b6f4 10 bytes JMP 00007ffe8f600420 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW 00007ffd915245d8 5 bytes JMP 00007ffe8f6003e8 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffd91524750 9 bytes JMP 00007ffe8f600378 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 00007ffd91534fc0 5 bytes JMP 00007ffe8f6003b0 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\USER32.dll!ChangeDisplaySettingsExW 00007ffd91535cb0 5 bytes JMP 00007ffe8f600458 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffd91a11500 1 byte JMP 00007ffe8f600490 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffd91a11502 6 bytes {JMP 0xfffffffffdbeef90} .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffd91a11750 8 bytes JMP 00007ffe8f6004c8 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 00007ffd8cae7c28 5 bytes JMP 00007ffe8c9b0110 .text C:\Windows\system32\dwm.exe[856] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 00007ffd8caf4b84 5 bytes JMP 00007ffe8c9b00d8 .text C:\Windows\system32\nvvsvc.exe[1004] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd90fb169a 4 bytes [FB, 90, FD, 7F] .text C:\Windows\system32\nvvsvc.exe[1004] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd90fb16a2 4 bytes [FB, 90, FD, 7F] .text C:\Windows\system32\nvvsvc.exe[1004] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd90fb181a 4 bytes [FB, 90, FD, 7F] .text C:\Windows\system32\nvvsvc.exe[1004] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd90fb1832 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1748] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd90fb169a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1748] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd90fb16a2 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1748] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd90fb181a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1748] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd90fb1832 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1748] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffd83d51f6a 4 bytes [D5, 83, FD, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1748] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffd83d51f82 4 bytes [D5, 83, FD, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1916] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd90fb169a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1916] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd90fb16a2 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1916] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd90fb181a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1916] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd90fb1832 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1976] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd90fb169a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1976] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd90fb16a2 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1976] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd90fb181a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[1976] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd90fb1832 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3064] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffd90fb169a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3064] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffd90fb16a2 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3064] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ffd90fb181a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3064] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ffd90fb1832 4 bytes [FB, 90, FD, 7F] .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd90fb169a 4 bytes [FB, 90, FD, 7F] .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd90fb16a2 4 bytes [FB, 90, FD, 7F] .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd90fb181a 4 bytes [FB, 90, FD, 7F] .text C:\Windows\system32\wbem\wmiprvse.exe[3348] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd90fb1832 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[3224] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd90fb169a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[3224] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd90fb16a2 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[3224] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd90fb181a 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[3224] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd90fb1832 4 bytes [FB, 90, FD, 7F] .text C:\Program Files\Acer\Acer Quick Access\QuickAccess.exe[4860] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffd91a11500 1 byte JMP 00007ffe8f600490 .text C:\Program Files\Acer\Acer Quick Access\QuickAccess.exe[4860] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList + 2 00007ffd91a11502 6 bytes {JMP 0xfffffffffdbeef90} .text C:\Program Files\Acer\Acer Quick Access\QuickAccess.exe[4860] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffd91a11750 8 bytes JMP 00007ffe8f6004c8 .text C:\Users\Puszczyk\Downloads\FRST64 (2).exe[1940] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffd83d51f6a 4 bytes [D5, 83, FD, 7F] .text C:\Users\Puszczyk\Downloads\FRST64 (2).exe[1940] C:\Windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffd83d51f82 4 bytes [D5, 83, FD, 7F] .text C:\Users\Puszczyk\Downloads\FRST64 (2).exe[1940] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd90fb169a 4 bytes [FB, 90, FD, 7F] .text C:\Users\Puszczyk\Downloads\FRST64 (2).exe[1940] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd90fb16a2 4 bytes [FB, 90, FD, 7F] .text C:\Users\Puszczyk\Downloads\FRST64 (2).exe[1940] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd90fb181a 4 bytes [FB, 90, FD, 7F] .text C:\Users\Puszczyk\Downloads\FRST64 (2).exe[1940] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd90fb1832 4 bytes [FB, 90, FD, 7F] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [512:3048] fffff960008cab90 Thread C:\Windows\Explorer.EXE [3176:3824] 00007ffd7717d6bc ---- Processes - GMER 2.1 ---- Process C:\ProgramData\3WdM3\WdMan.exe (*** suspicious ***) @ C:\ProgramData\3WdM3\WdMan.exe [2020] (TFuns/TFuns LIMITED)(2015-12-10 02:05:08) 0000000000eb0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----