GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-19 16:43:36 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 ST1000LM024_HN-M101MBB rev.2AR10002 931,51GB Running: zy6yzbws.exe; Driver: C:\Users\Edyta\AppData\Local\Temp\uwloapow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff960000efe00 7 bytes [C0, CB, 1C, 01, 00, 7B, 9B] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 8 fffff960000efe08 7 bytes [01, 10, E4, FF, 00, 5F, E8] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Windows Defender\MsMpEng.exe[1500] C:\WINDOWS\system32\psapi.dll!GetProcessImageFileNameA + 306 000007f80d48177a 4 bytes [48, 0D, F8, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[1500] C:\WINDOWS\system32\psapi.dll!GetProcessImageFileNameA + 314 000007f80d481782 4 bytes [48, 0D, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4728] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f808b61532 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4728] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f808b6153a 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4728] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f808b6165a 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Internet Explorer\iexplore.exe[1544] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f808b61532 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Internet Explorer\iexplore.exe[1544] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f808b6153a 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Internet Explorer\iexplore.exe[1544] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f808b6165a 4 bytes [B6, 08, F8, 07] .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[1100] C:\WINDOWS\system32\psapi.dll!GetProcessImageFileNameA + 306 000007f80d48177a 4 bytes [48, 0D, F8, 07] .text C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[1100] C:\WINDOWS\system32\psapi.dll!GetProcessImageFileNameA + 314 000007f80d481782 4 bytes [48, 0D, F8, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[5220] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f80d48177a 4 bytes [48, 0D, F8, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[5220] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f80d481782 4 bytes [48, 0D, F8, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[5220] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f808b61532 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[5220] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f808b6153a 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[5220] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f808b6165a 4 bytes [B6, 08, F8, 07] .text C:\WINDOWS\system32\WLANExt.exe[1640] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f80d48177a 4 bytes [48, 0D, F8, 07] .text C:\WINDOWS\system32\WLANExt.exe[1640] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f80d481782 4 bytes [48, 0D, F8, 07] .text C:\WINDOWS\system32\WLANExt.exe[1640] C:\WINDOWS\system32\MSIMG32.dll!GradientFill + 690 000007f808b61532 4 bytes [B6, 08, F8, 07] .text C:\WINDOWS\system32\WLANExt.exe[1640] C:\WINDOWS\system32\MSIMG32.dll!GradientFill + 698 000007f808b6153a 4 bytes [B6, 08, F8, 07] .text C:\WINDOWS\system32\WLANExt.exe[1640] C:\WINDOWS\system32\MSIMG32.dll!TransparentBlt + 246 000007f808b6165a 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[5228] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f808b61532 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[5228] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f808b6153a 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[5228] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f808b6165a 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[5228] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f80d48177a 4 bytes [48, 0D, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[5228] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f80d481782 4 bytes [48, 0D, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[5228] C:\WINDOWS\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007f805f71b32 4 bytes [F7, 05, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[5228] C:\WINDOWS\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007f805f71b3a 4 bytes [F7, 05, F8, 07] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[5464] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f80d48177a 4 bytes [48, 0D, F8, 07] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[5464] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f80d481782 4 bytes [48, 0D, F8, 07] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[5464] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f808b61532 4 bytes [B6, 08, F8, 07] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[5464] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f808b6153a 4 bytes [B6, 08, F8, 07] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[5464] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f808b6165a 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[4668] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f808b61532 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[4668] C:\WINDOWS\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f808b6153a 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[4668] C:\WINDOWS\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f808b6165a 4 bytes [B6, 08, F8, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[4668] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f80d48177a 4 bytes [48, 0D, F8, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[4668] C:\WINDOWS\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f80d481782 4 bytes [48, 0D, F8, 07] .text C:\Users\Edyta\Documents\hw64_500\HWiNFO64.exe[52] C:\WINDOWS\SYSTEM32\Msimg32.dll!GradientFill + 690 000007f808b61532 4 bytes [B6, 08, F8, 07] .text C:\Users\Edyta\Documents\hw64_500\HWiNFO64.exe[52] C:\WINDOWS\SYSTEM32\Msimg32.dll!GradientFill + 698 000007f808b6153a 4 bytes [B6, 08, F8, 07] .text C:\Users\Edyta\Documents\hw64_500\HWiNFO64.exe[52] C:\WINDOWS\SYSTEM32\Msimg32.dll!TransparentBlt + 246 000007f808b6165a 4 bytes [B6, 08, F8, 07] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [552:2992] fffff9600080c5e8 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----