GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-07-23 01:48:28
Windows 6.2.9200  x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5003AZEX-00K1GA0 rev.80.00A80 465,76GB
Running: ieogyyw9.exe; Driver: C:\Users\FIKUMI~1\AppData\Local\Temp\pxloypow.sys


---- Kernel code sections - GMER 2.1 ----

.text   C:\Windows\system32\ntoskrnl.exe!KiCpuId + 988                                                                      fffff8037546241c 1 byte [31]
.text   C:\Windows\System32\win32k.sys!W32pServiceTable                                                                     fffff96000101d00 7 bytes [40, 6C, 82, 01, 00, 55, F2]
.text   C:\Windows\System32\win32k.sys!W32pServiceTable + 8                                                                 fffff96000101d08 7 bytes [01, B1, C1, FF, 00, A1, DC]

---- User code sections - GMER 2.1 ----

.text   C:\Windows\system32\dwm.exe[920] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                       000007fa4327177a 4 bytes [27, 43, FA, 07]
.text   C:\Windows\system32\dwm.exe[920] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                       000007fa43271782 4 bytes [27, 43, FA, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[620] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690    000007fa3d471532 4 bytes [47, 3D, FA, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[620] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698    000007fa3d47153a 4 bytes [47, 3D, FA, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[620] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246  000007fa3d47165a 4 bytes [47, 3D, FA, 07]
.text   C:\Windows\system32\nvvsvc.exe[372] C:\Windows\system32\MSIMG32.dll!GradientFill + 690                              000007fa3d471532 4 bytes [47, 3D, FA, 07]
.text   C:\Windows\system32\nvvsvc.exe[372] C:\Windows\system32\MSIMG32.dll!GradientFill + 698                              000007fa3d47153a 4 bytes [47, 3D, FA, 07]
.text   C:\Windows\system32\nvvsvc.exe[372] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246                            000007fa3d47165a 4 bytes [47, 3D, FA, 07]
.text   C:\Windows\system32\nvvsvc.exe[372] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                    000007fa4327177a 4 bytes [27, 43, FA, 07]
.text   C:\Windows\system32\nvvsvc.exe[372] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                    000007fa43271782 4 bytes [27, 43, FA, 07]
.text   C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryLicenseValue                                     000007fa447f3f11 6 bytes JMP 000007fb3a4d3ff0
.text   C:\Windows\Explorer.EXE[1752] C:\Windows\system32\KERNELBASE.dll!GetModuleFileNameW                                 000007fa41a92110 5 bytes JMP 000007fb3a4d4830
.text   C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\slc.dll!SLIsWindowsGenuineLocal                                   000007fa3d49d724 7 bytes JMP 000007fb3a4d4160
.text   C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\sppc.dll!SLIsGenuineLocalEx                                       000007fa3879cbf4 5 bytes JMP 000007fa3a4d4180
.text   C:\Windows\Explorer.EXE[1752] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                          000007fa4327177a 4 bytes [27, 43, FA, 07]
.text   C:\Windows\Explorer.EXE[1752] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                          000007fa43271782 4 bytes [27, 43, FA, 07]
.text   C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742                                        000007fa33d91b32 4 bytes [D9, 33, FA, 07]
.text   C:\Windows\Explorer.EXE[1752] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750                                        000007fa33d91b3a 4 bytes [D9, 33, FA, 07]
.text   D:\Fortinet\FortiClient\FCHelper64.exe[1600] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306           000007fa4327177a 4 bytes [27, 43, FA, 07]
.text   D:\Fortinet\FortiClient\FCHelper64.exe[1600] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314           000007fa43271782 4 bytes [27, 43, FA, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3352] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690     000007fa3d471532 4 bytes [47, 3D, FA, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3352] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698     000007fa3d47153a 4 bytes [47, 3D, FA, 07]
.text   C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3352] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246   000007fa3d47165a 4 bytes [47, 3D, FA, 07]
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[5544] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742             000007fa33d91b32 4 bytes [D9, 33, FA, 07]
.text   C:\Program Files\Windows Media Player\wmpnetwk.exe[5544] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750             000007fa33d91b3a 4 bytes [D9, 33, FA, 07]

---- Threads - GMER 2.1 ----

Thread  C:\Windows\system32\csrss.exe [536:560]                                                                             fffff9600084f5e8

---- Registry - GMER 2.1 ----

Reg     HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed                                   -231652683