GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-25 20:12:58 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000046 ST500LM012_HN-M500MBB rev.2AR10001 465,76GB Running: 48o4rugf.exe; Driver: C:\Users\LESZEK~1\AppData\Local\Temp\ugloypoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\KERNEL32.DLL!K32GetModuleFileNameExW 000007fdc0d15658 7 bytes JMP 000007febe9a0260 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation 000007fdc0d15778 7 bytes JMP 000007febe9a02d0 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW 000007fdc0d440e4 7 bytes JMP 000007febe9a0298 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx 000007fdc0d44178 8 bytes JMP 000007febe9a0228 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA 000007fdc0d4479c 8 bytes JMP 000007febe9a0308 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fdbea028a0 7 bytes JMP 000007febe9a00d8 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fdbea028e8 5 bytes JMP 000007febe9a0180 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fdbea1f590 6 bytes JMP 000007febe9a0148 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fdbea1f8ac 5 bytes JMP 000007febe9a0110 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\USER32.dll!CreateWindowExW 000007fdbecec5b0 7 bytes JMP 000007febe9a0378 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 000007fdbecf7160 5 bytes JMP 000007febe9a0340 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fdc1101070 8 bytes JMP 000007febe9a01f0 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fdc1120dc0 8 bytes JMP 000007febe9a01b8 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fdbc6c6d10 5 bytes JMP 000007febc4b0110 .text C:\Windows\system32\dwm.exe[996] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fdbc6cd060 5 bytes JMP 000007febc4b00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1108] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdbaa41532 4 bytes [A4, BA, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1108] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdbaa4153a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1108] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdbaa4165a 4 bytes [A4, BA, FD, 07] .text C:\Windows\system32\nvvsvc.exe[1116] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007fdbaa41532 4 bytes [A4, BA, FD, 07] .text C:\Windows\system32\nvvsvc.exe[1116] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007fdbaa4153a 4 bytes [A4, BA, FD, 07] .text C:\Windows\system32\nvvsvc.exe[1116] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fdbaa4165a 4 bytes [A4, BA, FD, 07] .text C:\Windows\system32\nvvsvc.exe[1116] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fdc03e177a 4 bytes [3E, C0, FD, 07] .text C:\Windows\system32\nvvsvc.exe[1116] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fdc03e1782 4 bytes [3E, C0, FD, 07] .text C:\Windows\system32\WLANExt.exe[1376] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fdc03e177a 4 bytes [3E, C0, FD, 07] .text C:\Windows\system32\WLANExt.exe[1376] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fdc03e1782 4 bytes [3E, C0, FD, 07] .text C:\Windows\system32\WLANExt.exe[1376] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007fdbaa41532 4 bytes [A4, BA, FD, 07] .text C:\Windows\system32\WLANExt.exe[1376] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007fdbaa4153a 4 bytes [A4, BA, FD, 07] .text C:\Windows\system32\WLANExt.exe[1376] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fdbaa4165a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1928] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdbaa41532 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1928] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdbaa4153a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1928] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdbaa4165a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1928] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fdc03e177a 4 bytes [3E, C0, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1928] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fdc03e1782 4 bytes [3E, C0, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1928] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fdb5d01b32 4 bytes [D0, B5, FD, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1928] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fdb5d01b3a 4 bytes [D0, B5, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1736] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fdc03e177a 4 bytes [3E, C0, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1736] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fdc03e1782 4 bytes [3E, C0, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1736] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdbaa41532 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1736] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdbaa4153a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1736] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdbaa4165a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2092] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdbaa41532 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2092] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdbaa4153a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2092] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdbaa4165a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2092] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fdc03e177a 4 bytes [3E, C0, FD, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2092] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fdc03e1782 4 bytes [3E, C0, FD, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[852] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fdc03e177a 4 bytes [3E, C0, FD, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[852] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fdc03e1782 4 bytes [3E, C0, FD, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[852] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdbaa41532 4 bytes [A4, BA, FD, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[852] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdbaa4153a 4 bytes [A4, BA, FD, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[852] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdbaa4165a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3720] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdbaa41532 4 bytes [A4, BA, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3720] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdbaa4153a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3720] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdbaa4165a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4068] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdbaa41532 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4068] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdbaa4153a 4 bytes [A4, BA, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4068] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdbaa4165a 4 bytes [A4, BA, FD, 07] .text C:\Windows\System32\rundll32.exe[4016] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdbaa41532 4 bytes [A4, BA, FD, 07] .text C:\Windows\System32\rundll32.exe[4016] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdbaa4153a 4 bytes [A4, BA, FD, 07] .text C:\Windows\System32\rundll32.exe[4016] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdbaa4165a 4 bytes [A4, BA, FD, 07] .text C:\Windows\system32\igfxpers.exe[3052] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fdc03e177a 4 bytes [3E, C0, FD, 07] .text C:\Windows\system32\igfxpers.exe[3052] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fdc03e1782 4 bytes [3E, C0, FD, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[1360] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007fdc03e177a 4 bytes [3E, C0, FD, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[1360] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007fdc03e1782 4 bytes [3E, C0, FD, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2072] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fdb5d01b32 4 bytes [D0, B5, FD, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2072] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fdb5d01b3a 4 bytes [D0, B5, FD, 07] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [620:644] fffff9600085e5e8 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----