GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-05 20:09:56 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 WDC_WD1002FAEX-00Y9A0 rev.05.01D05 931,51GB Running: cji0r6ej.exe; Driver: C:\Users\Micha\AppData\Local\Temp\uwloypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[980] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc32aa177a 4 bytes [AA, 32, FC, 07] .text C:\Windows\system32\dwm.exe[980] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc32aa1782 4 bytes [AA, 32, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1036] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fc2e5c1532 4 bytes [5C, 2E, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1036] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fc2e5c153a 4 bytes [5C, 2E, FC, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1036] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fc2e5c165a 4 bytes [5C, 2E, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1044] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007fc2e5c1532 4 bytes [5C, 2E, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1044] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007fc2e5c153a 4 bytes [5C, 2E, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1044] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fc2e5c165a 4 bytes [5C, 2E, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1044] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc32aa177a 4 bytes [AA, 32, FC, 07] .text C:\Windows\system32\nvvsvc.exe[1044] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc32aa1782 4 bytes [AA, 32, FC, 07] .text C:\Windows\Explorer.EXE[1896] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fc32aa177a 4 bytes [AA, 32, FC, 07] .text C:\Windows\Explorer.EXE[1896] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fc32aa1782 4 bytes [AA, 32, FC, 07] .text C:\Windows\Explorer.EXE[1896] C:\Windows\system32\WS2_32.dll!getsockname 000007fc321c2f40 6 bytes {JMP QWORD [RIP-0x7fee2ede]} .text C:\Windows\Explorer.EXE[1896] C:\Windows\system32\WS2_32.dll!connect + 1 000007fc321c4941 5 bytes {JMP QWORD [RIP-0x7fef490e]} .text C:\Windows\Explorer.EXE[1896] C:\Windows\system32\WS2_32.dll!getpeername 000007fc321d60c0 6 bytes {JMP QWORD [RIP-0x7fef602e]} .text C:\Windows\Explorer.EXE[1896] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fc321d76e0 6 bytes {JMP QWORD [RIP-0x7fef76ae]} .text C:\Windows\System32\svchost.exe[1724] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fc28e61b32 4 bytes [E6, 28, FC, 07] .text C:\Windows\System32\svchost.exe[1724] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fc28e61b3a 4 bytes [E6, 28, FC, 07] .text C:\Windows\System32\svchost.exe[2256] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fc28e61b32 4 bytes [E6, 28, FC, 07] .text C:\Windows\System32\svchost.exe[2256] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fc28e61b3a 4 bytes [E6, 28, FC, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2916] C:\Windows\system32\WS2_32.dll!getsockname 000007fc321c2f40 6 bytes {JMP QWORD [RIP-0x7fee2ede]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2916] C:\Windows\system32\WS2_32.dll!connect + 1 000007fc321c4941 5 bytes {JMP QWORD [RIP-0x7fef490e]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2916] C:\Windows\system32\WS2_32.dll!getpeername 000007fc321d60c0 6 bytes {JMP QWORD [RIP-0x7fef602e]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2916] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fc321d76e0 6 bytes {JMP QWORD [RIP-0x7fef76ae]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2916] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 690 000007fc2e5c1532 4 bytes [5C, 2E, FC, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2916] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 698 000007fc2e5c153a 4 bytes [5C, 2E, FC, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2916] C:\Windows\SYSTEM32\msimg32.dll!TransparentBlt + 246 000007fc2e5c165a 4 bytes [5C, 2E, FC, 07] .text C:\Windows\splwow64.exe[2216] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fc2e5c1532 4 bytes [5C, 2E, FC, 07] .text C:\Windows\splwow64.exe[2216] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fc2e5c153a 4 bytes [5C, 2E, FC, 07] .text C:\Windows\splwow64.exe[2216] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fc2e5c165a 4 bytes [5C, 2E, FC, 07] .text C:\Windows\splwow64.exe[2216] C:\Windows\system32\WS2_32.dll!getsockname 000007fc321c2f40 6 bytes {JMP QWORD [RIP-0x7fee2ede]} .text C:\Windows\splwow64.exe[2216] C:\Windows\system32\WS2_32.dll!connect + 1 000007fc321c4941 5 bytes {JMP QWORD [RIP-0x7fef490e]} .text C:\Windows\splwow64.exe[2216] C:\Windows\system32\WS2_32.dll!getpeername 000007fc321d60c0 6 bytes {JMP QWORD [RIP-0x7fef602e]} .text C:\Windows\splwow64.exe[2216] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fc321d76e0 6 bytes {JMP QWORD [RIP-0x7fef76ae]} ---- Threads - GMER 2.1 ---- Thread System [4:840] fffffa800b2934d0 Thread C:\Windows\system32\csrss.exe [548:572] fffff9600083a5e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1311081588 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0B 0xD5 0xC1 0x2B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE6 0x5B 0x65 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x58 0x9A 0xE1 0x64 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- EOF - GMER 2.1 ----