GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-10 21:42:40 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d TOSHIBA_MQ01ABD050 rev.AX002J 465.76GB Running: i8k9svef.exe; Driver: C:\Users\vardum\AppData\Local\Temp\uxldrpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff9600018ad00 15 bytes [00, A9, F3, 01, 80, 64, 6D, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff9600018ad10 11 bytes [00, 91, FC, FF, 00, BF, CA, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\wininit.exe[916] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\lsass.exe[1012] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[516] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[792] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\System32\svchost.exe[1092] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1124] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1228] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\System32\svchost.exe[1292] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1424] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\System32\spoolsv.exe[1612] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1668] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1692] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\System32\svchost.exe[1956] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\dashost.exe[992] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[2096] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2168] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\conhost.exe[2432] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2704] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2712] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\System32\alg.exe[2924] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\SearchIndexer.exe[4812] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[6852] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[6852] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe[6900] C:\WINDOWS\system32\KERNEL32.dll!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[7108] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[7108] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5096] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[5096] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[976] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[976] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\WINDOWS\system32\svchost.exe[7028] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[7028] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\Windows\system32\FBAgent.exe[4888] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Windows\system32\FBAgent.exe[4888] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\WINDOWS\system32\winlogon.exe[4948] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\winlogon.exe[4948] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\WINDOWS\system32\dwm.exe[4076] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\dwm.exe[4076] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4488] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[4488] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\WINDOWS\system32\taskhostex.exe[6936] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\taskhostex.exe[6936] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\WINDOWS\Explorer.EXE[5040] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\Explorer.EXE[5040] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\Windows\System32\skydrive.exe[3424] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Windows\System32\skydrive.exe[3424] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[4696] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[4696] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\Windows\System32\igfxpers.exe[6448] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Windows\System32\igfxpers.exe[6448] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\WINDOWS\system32\igfxsrvc.exe[3496] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[3496] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[832] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe[832] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\Windows\System32\SettingSyncHost.exe[6864] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\Windows\System32\SettingSyncHost.exe[6864] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\WINDOWS\system32\taskhost.exe[5748] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] .text C:\WINDOWS\system32\taskhost.exe[5748] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ffc97d1ef70 5 bytes JMP 00007ffd853017d0 .text C:\WINDOWS\system32\AUDIODG.EXE[6844] C:\WINDOWS\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffc99ddd3c5 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [6820:1540] fffff9600084a2d0 Thread C:\WINDOWS\Explorer.EXE [5040:5264] 00007ffc956655f0 Thread C:\WINDOWS\Explorer.EXE [5040:4828] 00007ffc8d6037e0 Thread C:\WINDOWS\Explorer.EXE [5040:6268] 00007ffc94869b10 Thread C:\WINDOWS\Explorer.EXE [5040:5292] 00007ffc94869b10 Thread C:\WINDOWS\Explorer.EXE [5040:7076] 00007ffc94869b10 Thread C:\WINDOWS\Explorer.EXE [5040:6152] 00007ffc9162f3c0 Thread C:\WINDOWS\Explorer.EXE [5040:6920] 00007ffc7a285060 Thread C:\WINDOWS\Explorer.EXE [5040:2192] 00007ffc94869b10 Thread C:\WINDOWS\Explorer.EXE [5040:6148] 00007ffc95c51fe0 Thread C:\WINDOWS\Explorer.EXE [5040:4764] 00007ffc973fc900 Thread C:\WINDOWS\Explorer.EXE [5040:172] 00007ffc83842d70 Thread C:\WINDOWS\Explorer.EXE [5040:2584] 00007ffc838be840 Thread C:\WINDOWS\Explorer.EXE [5040:88] 00007ffc8bb7e630 Thread C:\WINDOWS\Explorer.EXE [5040:1652] 00007ffc950f1e80 Thread C:\WINDOWS\Explorer.EXE [5040:4612] 00007ffc950f1c10 Thread C:\WINDOWS\Explorer.EXE [5040:4712] 00007ffc8bb7e630 Thread C:\WINDOWS\Explorer.EXE [5040:5952] 00007ffc80041480 Thread C:\WINDOWS\Explorer.EXE [5040:6184] 00007ffc9162f3c0 Thread C:\WINDOWS\Explorer.EXE [5040:3820] 00007ffc9162f3c0 Thread C:\WINDOWS\Explorer.EXE [5040:5884] 00007ffc7d11a710 Thread C:\WINDOWS\Explorer.EXE [5040:3272] 00007ffc9162f3c0 Thread C:\WINDOWS\Explorer.EXE [5040:7476] 00007ffc8bb79970 Thread C:\WINDOWS\Explorer.EXE [5040:8132] 00007ffc8d5c1090 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----