GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-02 14:57:59 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003a ST500LM012_HN-M500MBB rev.2BA30001 465,76GB Running: e7jcm5g8.exe; Driver: C:\Users\Dawid\AppData\Local\Temp\uxtoapob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000158e00 7 bytes [00, 91, 1C, 01, 00, D6, 9D] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 8 fffff96000158e08 7 bytes [01, 0F, E4, FF, 00, 5F, E8] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[336] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f91ab21532 4 bytes [B2, 1A, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[336] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f91ab2153a 4 bytes [B2, 1A, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[336] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f91ab2165a 4 bytes [B2, 1A, F9, 07] .text C:\WINDOWS\system32\nvvsvc.exe[444] C:\WINDOWS\system32\MSIMG32.dll!GradientFill + 690 000007f91ab21532 4 bytes [B2, 1A, F9, 07] .text C:\WINDOWS\system32\nvvsvc.exe[444] C:\WINDOWS\system32\MSIMG32.dll!GradientFill + 698 000007f91ab2153a 4 bytes [B2, 1A, F9, 07] .text C:\WINDOWS\system32\nvvsvc.exe[444] C:\WINDOWS\system32\MSIMG32.dll!TransparentBlt + 246 000007f91ab2165a 4 bytes [B2, 1A, F9, 07] .text C:\WINDOWS\system32\nvvsvc.exe[444] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f91ff8177a 4 bytes [F8, 1F, F9, 07] .text C:\WINDOWS\system32\nvvsvc.exe[444] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f91ff81782 4 bytes [F8, 1F, F9, 07] .text C:\WINDOWS\system32\BtwRSupportService.exe[1736] C:\WINDOWS\system32\MSIMG32.dll!GradientFill + 690 000007f91ab21532 4 bytes [B2, 1A, F9, 07] .text C:\WINDOWS\system32\BtwRSupportService.exe[1736] C:\WINDOWS\system32\MSIMG32.dll!GradientFill + 698 000007f91ab2153a 4 bytes [B2, 1A, F9, 07] .text C:\WINDOWS\system32\BtwRSupportService.exe[1736] C:\WINDOWS\system32\MSIMG32.dll!TransparentBlt + 246 000007f91ab2165a 4 bytes [B2, 1A, F9, 07] .text G:\INVENTOR\Inventor 2017\Moldflow\bin\mitsijm.exe[1968] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f91ff8177a 4 bytes [F8, 1F, F9, 07] .text G:\INVENTOR\Inventor 2017\Moldflow\bin\mitsijm.exe[1968] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f91ff81782 4 bytes [F8, 1F, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f91ab21532 4 bytes [B2, 1A, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f91ab2153a 4 bytes [B2, 1A, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f91ab2165a 4 bytes [B2, 1A, F9, 07] .text C:\Windows\System32\igfxpers.exe[4052] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f91ff8177a 4 bytes [F8, 1F, F9, 07] .text C:\Windows\System32\igfxpers.exe[4052] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f91ff81782 4 bytes [F8, 1F, F9, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4080] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f91ff8177a 4 bytes [F8, 1F, F9, 07] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4080] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f91ff81782 4 bytes [F8, 1F, F9, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4336] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f91ff8177a 4 bytes [F8, 1F, F9, 07] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4336] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f91ff81782 4 bytes [F8, 1F, F9, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[812] C:\WINDOWS\system32\psapi.dll!GetProcessImageFileNameA + 306 000007f91ff8177a 4 bytes [F8, 1F, F9, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[812] C:\WINDOWS\system32\psapi.dll!GetProcessImageFileNameA + 314 000007f91ff81782 4 bytes [F8, 1F, F9, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3324] C:\WINDOWS\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007f90e021b32 4 bytes [02, 0E, F9, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3324] C:\WINDOWS\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007f90e021b3a 4 bytes [02, 0E, F9, 07] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [536:568] fffff960008e05e8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -435684511 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\689423f90cac Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\689423f90cac@b808d73acb9f 0xEC 0x83 0xE2 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c0143dd526da ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----