GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-07-23 09:58:27
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5003AZEX-00K1GA0 rev.80.00A80 465,76GB
Running: ieogyyw9.exe; Driver: C:\Users\FIKUMI~1\AppData\Local\Temp\pxloypow.sys


---- Kernel code sections - GMER 2.1 ----

.text   C:\Windows\system32\ntoskrnl.exe!KiCpuId + 988                                                                      fffff800248c041c 1 byte [31]

---- User code sections - GMER 2.1 ----

.text   C:\Windows\system32\dwm.exe[940] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                       000007ff5d0d177a 4 bytes [0D, 5D, FF, 07]
.text   C:\Windows\system32\dwm.exe[940] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                       000007ff5d0d1782 4 bytes [0D, 5D, FF, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[452] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690    000007ff584b1532 4 bytes [4B, 58, FF, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[452] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698    000007ff584b153a 4 bytes [4B, 58, FF, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[452] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246  000007ff584b165a 4 bytes [4B, 58, FF, 07]
.text   C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\MSIMG32.dll!GradientFill + 690                              000007ff584b1532 4 bytes [4B, 58, FF, 07]
.text   C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\MSIMG32.dll!GradientFill + 698                              000007ff584b153a 4 bytes [4B, 58, FF, 07]
.text   C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246                            000007ff584b165a 4 bytes [4B, 58, FF, 07]
.text   C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                    000007ff5d0d177a 4 bytes [0D, 5D, FF, 07]
.text   C:\Windows\system32\nvvsvc.exe[424] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                    000007ff5d0d1782 4 bytes [0D, 5D, FF, 07]
.text   C:\Windows\Explorer.EXE[1504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue                                     000007ff5f763f11 6 bytes JMP 00000800566a3ff0
.text   C:\Windows\Explorer.EXE[1504] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW                                 000007ff5c6f2110 5 bytes JMP 00000800566a4830
.text   C:\Windows\Explorer.EXE[1504] C:\Windows\SYSTEM32\slc.dll!SLIsWindowsGenuineLocal                                   000007ff5946d724 7 bytes JMP 00000800566a4160
.text   C:\Windows\Explorer.EXE[1504] C:\Windows\SYSTEM32\sppc.dll!SLIsGenuineLocalEx                                       000007ff54eecbf4 5 bytes JMP 000007ff566a4180
.text   C:\Windows\Explorer.EXE[1504] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                          000007ff5d0d177a 4 bytes [0D, 5D, FF, 07]
.text   C:\Windows\Explorer.EXE[1504] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                          000007ff5d0d1782 4 bytes [0D, 5D, FF, 07]
.text   C:\Windows\Explorer.EXE[1504] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742                                        000007ff562a1b32 4 bytes [2A, 56, FF, 07]
.text   C:\Windows\Explorer.EXE[1504] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750                                        000007ff562a1b3a 4 bytes [2A, 56, FF, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1840] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690     000007ff584b1532 4 bytes [4B, 58, FF, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1840] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698     000007ff584b153a 4 bytes [4B, 58, FF, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1840] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246   000007ff584b165a 4 bytes [4B, 58, FF, 07]
.text   D:\Fortinet\FortiClient\FCHelper64.exe[1196] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306           000007ff5d0d177a 4 bytes [0D, 5D, FF, 07]
.text   D:\Fortinet\FortiClient\FCHelper64.exe[1196] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314           000007ff5d0d1782 4 bytes [0D, 5D, FF, 07]

---- Kernel IAT/EAT - GMER 2.1 ----

IAT     C:\Windows\system32\drivers\afd.sys[ntoskrnl.exe!ExReleaseResourceAndLeaveCriticalRegion]                           [?]
IAT     C:\Windows\system32\drivers\afd.sys[msrpc.sys!RpcAsyncCancelCall]                                                   [?]

---- Threads - GMER 2.1 ----

Thread  C:\Windows\system32\csrss.exe [512:544]                                                                             fffff9600086b5e8

---- Registry - GMER 2.1 ----

Reg     HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed                                   -296007759

---- Files - GMER 2.1 ----

File    C:\Users\FiKumiczek\AppData\Local\Temp\tmpFDAD.tmp                                                                  19875432 bytes

---- EOF - GMER 2.1 ----