GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-25 23:06:07 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000004d Hitachi_HTS727575A9E364 rev.JF4OA200 698,64GB Running: gmer.exe; Driver: C:\Users\Robert\AppData\Local\Temp\uxloapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNEL32.DLL!RegSetValueExW 000007fc2236257c 8 bytes JMP 000007fd1fd803b0 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNEL32.DLL!RegQueryValueExW 000007fc22366b10 9 bytes JMP 000007fd1fd80308 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNEL32.DLL!K32GetModuleFileNameExW 000007fc223e5658 7 bytes JMP 000007fd1fd80260 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation 000007fc223e5778 7 bytes JMP 000007fd1fd802d0 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNEL32.DLL!RegDeleteValueW 000007fc22401564 7 bytes JMP 000007fd1fd80340 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW 000007fc224140e4 7 bytes JMP 000007fd1fd80298 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx 000007fc22414178 8 bytes JMP 000007fd1fd80228 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA 000007fc2241479c 8 bytes JMP 000007fd1fd80378 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fc1fdc28a0 7 bytes JMP 000007fd1fd800d8 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fc1fdc28e8 5 bytes JMP 000007fd1fd80180 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fc1fddf590 6 bytes JMP 000007fd1fd80148 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fc1fddf8ac 5 bytes JMP 000007fd1fd80110 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\USER32.dll!CreateWindowExW 000007fc202bc5b0 7 bytes JMP 000007fd1fd80490 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\USER32.dll!DisplayConfigGetDeviceInfo 000007fc202c31f0 9 bytes JMP 000007fd1fd803e8 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\USER32.dll!EnumDisplayDevicesW 000007fc202c33e0 5 bytes JMP 000007fd1fd80458 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 000007fc202c7160 5 bytes JMP 000007fd1fd80420 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fc226b1070 8 bytes JMP 000007fd1fd801f0 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fc226d0c10 8 bytes JMP 000007fd1fd801b8 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fc1dd36d10 5 bytes JMP 000007fd1db20110 .text C:\Windows\system32\dwm.exe[348] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fc1dd3d060 5 bytes JMP 000007fd1db200d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1060] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1060] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1060] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1068] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1068] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1068] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1068] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc2291177a 4 bytes [91, 22, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1068] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc22911782 4 bytes [91, 22, FC, 07] .text C:\Windows\system32\WLANExt.exe[1320] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc2291177a 4 bytes [91, 22, FC, 07] .text C:\Windows\system32\WLANExt.exe[1320] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc22911782 4 bytes [91, 22, FC, 07] .text C:\Windows\system32\WLANExt.exe[1320] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Windows\system32\WLANExt.exe[1320] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Windows\system32\WLANExt.exe[1320] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2184] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2184] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2184] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2256] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2256] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2256] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2256] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc2291177a 4 bytes [91, 22, FC, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2256] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc22911782 4 bytes [91, 22, FC, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2256] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fc1b751b32 4 bytes [75, 1B, FC, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2256] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fc1b751b3a 4 bytes [75, 1B, FC, 07] .text C:\Windows\System32\svchost.exe[2580] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fc1b751b32 4 bytes [75, 1B, FC, 07] .text C:\Windows\System32\svchost.exe[2580] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fc1b751b3a 4 bytes [75, 1B, FC, 07] .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2820] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc2291177a 4 bytes [91, 22, FC, 07] .text C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe[2820] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc22911782 4 bytes [91, 22, FC, 07] .text C:\Windows\System32\svchost.exe[2848] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fc1b751b32 4 bytes [75, 1B, FC, 07] .text C:\Windows\System32\svchost.exe[2848] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fc1b751b3a 4 bytes [75, 1B, FC, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2868] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc2291177a 4 bytes [91, 22, FC, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2868] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc22911782 4 bytes [91, 22, FC, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2868] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2868] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2868] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2180] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2180] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2180] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2180] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc2291177a 4 bytes [91, 22, FC, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2180] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc22911782 4 bytes [91, 22, FC, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[3692] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc2291177a 4 bytes [91, 22, FC, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[3692] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc22911782 4 bytes [91, 22, FC, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[3692] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[3692] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[3692] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4132] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4132] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4132] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] .text C:\Windows\System32\rundll32.exe[4276] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Windows\System32\rundll32.exe[4276] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Windows\System32\rundll32.exe[4276] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] .text C:\Windows\system32\igfxpers.exe[2788] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc2291177a 4 bytes [91, 22, FC, 07] .text C:\Windows\system32\igfxpers.exe[2788] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc22911782 4 bytes [91, 22, FC, 07] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3384] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 690 000007fc1da41532 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3384] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 698 000007fc1da4153a 4 bytes [A4, 1D, FC, 07] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[3384] C:\Windows\SYSTEM32\msimg32.dll!TransparentBlt + 246 000007fc1da4165a 4 bytes [A4, 1D, FC, 07] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [632:656] fffff960009655e8 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----