GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-21 14:07:08 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003e rev. 0,00MB Running: vk9effiv.exe; Driver: C:\Users\Basia\AppData\Local\Temp\uxlorkow.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\wininit.exe[716] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\csrss.exe[760] C:\windows\SYSTEM32\kernel32.dll!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\winlogon.exe[804] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\services.exe[836] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\lsass.exe[844] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[980] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\nvvsvc.exe[324] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[380] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\dwm.exe[728] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\System32\svchost.exe[452] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[916] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[1092] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\System32\svchost.exe[1152] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdb2071532 4 bytes [07, B2, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdb207153a 4 bytes [07, B2, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1260] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdb207165a 4 bytes [07, B2, FD, 07] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\system32\MSIMG32.dll!GradientFill + 690 000007fdb2071532 4 bytes [07, B2, FD, 07] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\system32\MSIMG32.dll!GradientFill + 698 000007fdb207153a 4 bytes [07, B2, FD, 07] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fdb207165a 4 bytes [07, B2, FD, 07] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fdb76c177a 4 bytes [6C, B7, FD, 07] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fdb76c1782 4 bytes [6C, B7, FD, 07] .text C:\windows\system32\svchost.exe[1352] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[1408] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\System32\spoolsv.exe[1944] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\System32\spoolsv.exe[1944] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdb2071532 4 bytes [07, B2, FD, 07] .text C:\windows\System32\spoolsv.exe[1944] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdb207153a 4 bytes [07, B2, FD, 07] .text C:\windows\System32\spoolsv.exe[1944] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdb207165a 4 bytes [07, B2, FD, 07] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1552] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\dashost.exe[1852] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1636] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2100] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\taskhostex.exe[2620] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\Explorer.EXE[2788] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\System32\svchost.exe[2932] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\System32\svchost.exe[2932] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fdabca1b32 4 bytes [CA, AB, FD, 07] .text C:\windows\System32\svchost.exe[2932] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fdabca1b3a 4 bytes [CA, AB, FD, 07] .text C:\windows\System32\svchost.exe[2984] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\System32\svchost.exe[2984] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fdabca1b32 4 bytes [CA, AB, FD, 07] .text C:\windows\System32\svchost.exe[2984] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fdabca1b3a 4 bytes [CA, AB, FD, 07] .text C:\windows\system32\svchost.exe[3040] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\conhost.exe[2388] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdb2071532 4 bytes [07, B2, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdb207153a 4 bytes [07, B2, FD, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[1536] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdb207165a 4 bytes [07, B2, FD, 07] .text C:\windows\system32\svchost.exe[3240] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\svchost.exe[3416] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\SearchIndexer.exe[4308] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\wbem\wmiprvse.exe[4628] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\wbem\wmiprvse.exe[4820] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\System32\svchost.exe[3116] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4924] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4924] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdb2071532 4 bytes [07, B2, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4924] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdb207153a 4 bytes [07, B2, FD, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4924] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdb207165a 4 bytes [07, B2, FD, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4920] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4920] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdb2071532 4 bytes [07, B2, FD, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4920] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdb207153a 4 bytes [07, B2, FD, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[4920] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdb207165a 4 bytes [07, B2, FD, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3472] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3472] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdb2071532 4 bytes [07, B2, FD, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3472] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdb207153a 4 bytes [07, B2, FD, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3472] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdb207165a 4 bytes [07, B2, FD, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3472] C:\windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fdabca1b32 4 bytes [CA, AB, FD, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3472] C:\windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fdabca1b3a 4 bytes [CA, AB, FD, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[3456] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[3456] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdb2071532 4 bytes [07, B2, FD, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[3456] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdb207153a 4 bytes [07, B2, FD, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[3456] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdb207165a 4 bytes [07, B2, FD, 07] .text C:\windows\system32\igfxext.exe[4512] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Windows\System32\hkcmd.exe[5368] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Windows\System32\igfxpers.exe[5460] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Windows\System32\igfxpers.exe[5460] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fdb76c177a 4 bytes [6C, B7, FD, 07] .text C:\Windows\System32\igfxpers.exe[5460] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fdb76c1782 4 bytes [6C, B7, FD, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5684] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5684] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fdb2071532 4 bytes [07, B2, FD, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5684] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fdb207153a 4 bytes [07, B2, FD, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[5684] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fdb207165a 4 bytes [07, B2, FD, 07] .text C:\windows\system32\DllHost.exe[6044] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[6316] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[6316] C:\windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fdabca1b32 4 bytes [CA, AB, FD, 07] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[6316] C:\windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fdabca1b3a 4 bytes [CA, AB, FD, 07] .text C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE[4940] C:\Program Files (x86)\Microsoft Office\Office14\BCSProxy32.dll!ReleaseMutex + 215 000000005f362338 4 bytes [43, 66, 76, A9] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3820] C:\windows\system32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] .text C:\windows\system32\AUDIODG.EXE[6584] C:\windows\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 163 000007fdb7c7f7eb 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\csrss.exe [760:780] fffff9600098b5e8 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Internet Manager\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [2412](2012-11-21 08:53:17) 000000006fbc0000 Library C:\ProgramData\Internet Manager\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [2412](2012-11-21 08:53:17) 000000006e940000 Library C:\ProgramData\Internet Manager\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [2412](2012-11-21 08:53:17) 000000006a1c0000 Library C:\ProgramData\Internet Manager\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [2412](2012-11-21 08:53:17) 000000006ff00000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----