GMER 2.1.19081 - http://www.gmer.net Rootkit scan 2013-02-23 18:33:20 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD200HJ rev.KF100-06 186,31GB Running: 1ozqxikj.exe; Driver: C:\Users\EL_KON~1\AppData\Local\Temp\uwloqpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[768] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007feea50177a 4 bytes [50, EA, FE, 07] .text C:\Windows\system32\dwm.exe[768] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007feea501782 4 bytes [50, EA, FE, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fee4201532 4 bytes [20, E4, FE, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fee420153a 4 bytes [20, E4, FE, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1360] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fee420165a 4 bytes [20, E4, FE, 07] .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007fee4201532 4 bytes [20, E4, FE, 07] .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007fee420153a 4 bytes [20, E4, FE, 07] .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fee420165a 4 bytes [20, E4, FE, 07] .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007feea50177a 4 bytes [50, EA, FE, 07] .text C:\Windows\system32\nvvsvc.exe[1368] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007feea501782 4 bytes [50, EA, FE, 07] .text C:\Windows\Explorer.EXE[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue 000007feed0b3ed1 6 bytes JMP 000007ffe2e53ff0 .text C:\Windows\Explorer.EXE[2004] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW 000007fee9492120 5 bytes JMP 000007ffe2e54830 .text C:\Windows\Explorer.EXE[2004] C:\Windows\SYSTEM32\slc.dll!SLIsWindowsGenuineLocal 000007fee42dd724 7 bytes JMP 000007ffe2e54160 .text C:\Windows\Explorer.EXE[2004] C:\Windows\SYSTEM32\sppc.dll!SLIsGenuineLocalEx 000007fee281cbf4 5 bytes JMP 000007fee2e54180 .text C:\Program Files\Windows Defender\MsMpEng.exe[1248] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306 000007feea50177a 4 bytes [50, EA, FE, 07] .text C:\Program Files\Windows Defender\MsMpEng.exe[1248] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314 000007feea501782 4 bytes [50, EA, FE, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2676] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fee4201532 4 bytes [20, E4, FE, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2676] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fee420153a 4 bytes [20, E4, FE, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2676] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fee420165a 4 bytes [20, E4, FE, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4444] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007fee2901b32 4 bytes [90, E2, FE, 07] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4444] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007fee2901b3a 4 bytes [90, E2, FE, 07] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [724:756] fffff960009955e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -355238065 ---- EOF - GMER 2.1 ----