GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-13 18:52:48 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: 776roz62.exe; Driver: C:\Users\KlaudiaM\AppData\Local\Temp\pxloqpog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000d3a00 7 bytes [40, CA, 81, 01, 00, 4C, F2] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000d3a08 7 bytes [01, EA, BF, FF, 00, C7, DA] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[2636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue 000007ffbd943f11 6 bytes JMP 00000800b4763ff0 .text C:\Windows\Explorer.EXE[2636] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW 000007ffb9d72110 5 bytes JMP 00000800b4764830 .text C:\Windows\Explorer.EXE[2636] C:\Windows\SYSTEM32\slc.dll!SLIsWindowsGenuineLocal 000007ffb621d724 7 bytes JMP 00000800b4764160 .text C:\Windows\Explorer.EXE[2636] C:\Windows\SYSTEM32\sppc.dll!SLIsGenuineLocalEx 000007ffb2d9d014 5 bytes JMP 000007ffb4764180 .text C:\Windows\Explorer.EXE[2636] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007ffb9fb177a 4 bytes [FB, B9, FF, 07] .text C:\Windows\Explorer.EXE[2636] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007ffb9fb1782 4 bytes [FB, B9, FF, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3888] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007ffb5c31532 4 bytes [C3, B5, FF, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3888] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007ffb5c3153a 4 bytes [C3, B5, FF, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3888] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007ffb5c3165a 4 bytes [C3, B5, FF, 07] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [868:900] fffff960009565e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1226647437 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076abc783 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076abc783@3c363d9bcb8a 0xB8 0x54 0xD1 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076abc783@04a82ac4d6bc 0x2C 0xC2 0x85 0x3B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 15954 ---- EOF - GMER 2.1 ----