GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-31 18:49:06 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000048 HGST_HTS545050A7E380 rev.GG2ZBD90 465,76GB Running: gmer.exe; Driver: C:\Users\G580\AppData\Local\Temp\pxloapog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600007da00 7 bytes [00, 0C, 7E, 01, 00, B1, F2] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff9600007da08 7 bytes [01, 0A, C0, FF, 00, 66, DB] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\BtwRSupportService.exe[1664] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Windows\system32\BtwRSupportService.exe[1664] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Windows\system32\BtwRSupportService.exe[1664] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2092] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007f957d2177a 4 bytes [D2, 57, F9, 07] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2092] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007f957d21782 4 bytes [D2, 57, F9, 07] .text C:\Windows\system32\svchost.exe[2132] C:\Windows\system32\WSOCK32.dll!recvfrom + 742 000007f94c331b32 4 bytes [33, 4C, F9, 07] .text C:\Windows\system32\svchost.exe[2132] C:\Windows\system32\WSOCK32.dll!recvfrom + 750 000007f94c331b3a 4 bytes [33, 4C, F9, 07] .text C:\Windows\System32\LogonUI.exe[4260] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Windows\System32\LogonUI.exe[4260] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Windows\System32\LogonUI.exe[4260] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4944] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4944] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[4944] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Windows\system32\nvvsvc.exe[476] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Windows\system32\nvvsvc.exe[476] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Windows\system32\nvvsvc.exe[476] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Windows\system32\nvvsvc.exe[476] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f957d2177a 4 bytes [D2, 57, F9, 07] .text C:\Windows\system32\nvvsvc.exe[476] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f957d21782 4 bytes [D2, 57, F9, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[1320] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[1320] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Elantech\ETDCtrl.exe[1320] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Windows\Explorer.EXE[5432] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Windows\Explorer.EXE[5432] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Windows\Explorer.EXE[5432] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4176] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4176] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[4176] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[728] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[728] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[728] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Elantech\ETDIntelligent.exe[3800] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Elantech\ETDIntelligent.exe[3800] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Elantech\ETDIntelligent.exe[3800] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5732] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5732] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5732] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Windows\System32\igfxpers.exe[1076] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f957d2177a 4 bytes [D2, 57, F9, 07] .text C:\Windows\System32\igfxpers.exe[1076] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f957d21782 4 bytes [D2, 57, F9, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[3204] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007f957d2177a 4 bytes [D2, 57, F9, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[3204] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007f957d21782 4 bytes [D2, 57, F9, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[3204] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[3204] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[3204] C:\Windows\SYSTEM32\msimg32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4688] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4688] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4688] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4688] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007f94c331b32 4 bytes [33, 4C, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4688] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007f94c331b3a 4 bytes [33, 4C, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4688] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f957d2177a 4 bytes [D2, 57, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[4688] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f957d21782 4 bytes [D2, 57, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[5044] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007f94c331b32 4 bytes [33, 4C, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[5044] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007f94c331b3a 4 bytes [33, 4C, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[5044] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f94efe1532 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[5044] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f94efe153a 4 bytes [FE, 4E, F9, 07] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[5044] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f94efe165a 4 bytes [FE, 4E, F9, 07] .text C:\Users\G580\Downloads\FRST64.exe[6284] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007f94c331b32 4 bytes [33, 4C, F9, 07] .text C:\Users\G580\Downloads\FRST64.exe[6284] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007f94c331b3a 4 bytes [33, 4C, F9, 07] .text C:\Users\G580\Downloads\FRST64.exe[6284] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f957d2177a 4 bytes [D2, 57, F9, 07] .text C:\Users\G580\Downloads\FRST64.exe[6284] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f957d21782 4 bytes [D2, 57, F9, 07] ---- Threads - GMER 2.2 ---- Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2364] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2368] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2372] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2376] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2380] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2384] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2388] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2392] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2396] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2400] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2404] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2408] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2412] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2416] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2420] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2424] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2428] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2432] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2444] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2448] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2452] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2788] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2804] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2808] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2816] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2820] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2892] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2896] 0000000077d84f27 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:4636] 0000000077d84f27 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:1476] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:8712] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:6460] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:6004] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:4160] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:9480] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:10148] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:7472] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:3496] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:3152] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:8616] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:10132] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:1300] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:5972] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:2736] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:9488] 00000000734429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1564:8100] 00000000734429e1 Thread C:\Windows\system32\csrss.exe [3616:2960] fffff960008fc5e8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -668747826 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\2cd05ad8576d Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c0143dcadeb2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c0143dcadeb2@00023c442b18 0xCB 0xCA 0x0D 0x6E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\c0143dcadeb2@001ddfce1467 0xCA 0xF9 0x10 0xEB ... ---- Files - GMER 2.2 ---- File C:\Users\G580\AppData\Local\Mozilla\Firefox\Profiles\ynwv0y5k.default\cache2\entries\31389E734666AB8DF964D37D5965ED5E33B148BC 4601 bytes ---- EOF - GMER 2.2 ----