GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-17 14:53:34 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003f Hitachi_HTS545050A7E380 rev.GG2OA6C0 465,76GB Running: cqp3vrxt.exe; Driver: C:\Users\jurek\AppData\Local\Temp\pxloqpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000dd200 7 bytes [40, 3B, 82, 01, 00, 53, F2] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000dd208 7 bytes [01, 63, C0, FF, 00, 17, DB] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNEL32.DLL!RegSetValueExW 000007fccec0257c 8 bytes JMP 000007fdcc0b0340 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNEL32.DLL!RegQueryValueExW 000007fccec06b10 1 byte JMP 000007fdcc0b0298 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNEL32.DLL!RegQueryValueExW + 2 000007fccec06b12 7 bytes {JMP 0xfffffffffd4a9788} .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation 000007fccec85778 7 bytes JMP 000007fdcc0b0260 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNEL32.DLL!RegDeleteValueW 000007fcceca1564 7 bytes JMP 000007fdcc0b02d0 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW 000007fccecb40e4 7 bytes JMP 000007fdcc0b0228 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx 000007fccecb4178 8 bytes JMP 000007fdcc0b01f0 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA 000007fccecb479c 8 bytes JMP 000007fdcc0b0308 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fccc1128a0 7 bytes JMP 000007fdcc0b00d8 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fccc1128e8 5 bytes JMP 000007fdcc0b0180 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fccc12f590 6 bytes JMP 000007fdcc0b0148 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fccc12f8ac 5 bytes JMP 000007fdcc0b0110 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameExW 000007fccc15aa40 5 bytes JMP 000007fdcc0b01b8 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\USER32.dll!CreateWindowExW 000007fccd6ac5b0 7 bytes JMP 000007fdcc0b0420 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo 000007fccd6b31f0 1 byte JMP 000007fdcc0b0378 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo + 2 000007fccd6b31f2 7 bytes {JMP 0xfffffffffe9fd188} .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW 000007fccd6b33e0 5 bytes JMP 000007fdcc0b03e8 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\USER32.dll!ChangeDisplaySettingsExW 000007fccd6b45d0 5 bytes JMP 000007fdcc0b0458 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 000007fccd6b7160 5 bytes JMP 000007fdcc0b03b0 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fccc691070 8 bytes JMP 000007fdcc0b04c8 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fccc6b0bc0 8 bytes JMP 000007fdcc0b0490 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fcc9c26d10 5 bytes JMP 000007fdc9a10110 .text C:\Windows\system32\dwm.exe[936] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fcc9c2d060 5 bytes JMP 000007fdc9a100d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1052] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fcc6551532 4 bytes [55, C6, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1052] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fcc655153a 4 bytes [55, C6, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1052] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fcc655165a 4 bytes [55, C6, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1060] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007fcc6551532 4 bytes [55, C6, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1060] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007fcc655153a 4 bytes [55, C6, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1060] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fcc655165a 4 bytes [55, C6, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1060] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fccd41177a 4 bytes [41, CD, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1060] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fccd411782 4 bytes [41, CD, FC, 07] .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fccd41177a 4 bytes [41, CD, FC, 07] .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fccd411782 4 bytes [41, CD, FC, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[2396] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fccd41177a 4 bytes [41, CD, FC, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[2396] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fccd411782 4 bytes [41, CD, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3984] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fcc6551532 4 bytes [55, C6, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3984] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fcc655153a 4 bytes [55, C6, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3984] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fcc655165a 4 bytes [55, C6, FC, 07] .text C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[4980] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fccd41177a 4 bytes [41, CD, FC, 07] .text C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[4980] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fccd411782 4 bytes [41, CD, FC, 07] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [656:668] fffff9600083c5e8 Thread C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [4980:2324] 0000008ce3703e68 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Google\Update\Install\{313E5B9D-1908-4936-92BB-49652C4B5FB1}\47.0.2526.106_47.0.2526.80_chrome_updater_3stage.exe (*** suspicious ***) @ C:\Program Files (x86)\Google\Update\Install\{313E5B9D-1908-4936-92BB-49652C4B5FB1}\47.0.2526.106_47 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 890027738 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\446d57c68b4a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\446d57c68b4a@f008f1ec1ec3 0xC2 0x3D 0x13 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\446d57c68b4a@e4b021ab3f97 0x91 0x36 0x83 0xD5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\446d57c68b4a@b4cef6223cd5 0xB1 0xF6 0xB6 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\446d57c68b4a@4c2578a592c0 0x85 0x93 0xDA 0x72 ... ---- EOF - GMER 2.1 ----