GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-15 15:10:37 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003a ST750LM022_HN-M750MBB rev.2AR10001 698,64GB Running: l8g8sxz3.exe; Driver: C:\Users\N56\AppData\Local\Temp\pglorpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\ntoskrnl.exe!KiCpuId + 988 fffff801afe603dc 1 byte [31] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001a3e00 7 bytes [00, 77, 82, 01, 00, 57, F2] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960001a3e08 7 bytes [01, 42, C0, FF, 00, 17, DB] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\KERNEL32.DLL!K32GetModuleFileNameExW 000007f8160a57e8 7 bytes JMP 000007f914d90260 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\KERNEL32.DLL!K32GetModuleInformation 000007f8160a5908 7 bytes JMP 000007f914d902d0 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\KERNEL32.DLL!K32GetMappedFileNameW 000007f8160d49a4 7 bytes JMP 000007f914d90298 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\KERNEL32.DLL!K32EnumProcessModulesEx 000007f8160d4a38 8 bytes JMP 000007f914d90228 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\KERNEL32.DLL!RegSetValueExA 000007f8160d5074 8 bytes JMP 000007f914d90308 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007f814da1f70 7 bytes JMP 000007f914d900d8 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007f814da1ff0 5 bytes JMP 000007f914d90180 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007f814da5880 5 bytes JMP 000007f914d90110 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007f814da8650 6 bytes JMP 000007f914d90148 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\USER32.dll!CreateWindowExW 000007f8163bc5b0 7 bytes JMP 000007f914d90378 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\USER32.dll!EnumDisplayDevicesA 000007f8163c7160 5 bytes JMP 000007f914d90340 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007f8156e1070 8 bytes JMP 000007f914d901f0 .text C:\Windows\system32\dwm.exe[1196] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007f815700c10 8 bytes JMP 000007f914d901b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1344] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1344] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1344] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Windows\system32\nvvsvc.exe[1352] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Windows\system32\nvvsvc.exe[1352] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Windows\system32\nvvsvc.exe[1352] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Windows\system32\nvvsvc.exe[1352] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f815b1177a 4 bytes [B1, 15, F8, 07] .text C:\Windows\system32\nvvsvc.exe[1352] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f815b11782 4 bytes [B1, 15, F8, 07] .text C:\Windows\system32\WLANExt.exe[1684] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f815b1177a 4 bytes [B1, 15, F8, 07] .text C:\Windows\system32\WLANExt.exe[1684] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f815b11782 4 bytes [B1, 15, F8, 07] .text C:\Windows\system32\WLANExt.exe[1684] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Windows\system32\WLANExt.exe[1684] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Windows\system32\WLANExt.exe[1684] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2164] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2164] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2164] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2164] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f815b1177a 4 bytes [B1, 15, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2164] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f815b11782 4 bytes [B1, 15, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2164] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007f809cd1b32 4 bytes [CD, 09, F8, 07] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2164] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007f809cd1b3a 4 bytes [CD, 09, F8, 07] .text C:\Windows\System32\svchost.exe[2324] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007f809cd1b32 4 bytes [CD, 09, F8, 07] .text C:\Windows\System32\svchost.exe[2324] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007f809cd1b3a 4 bytes [CD, 09, F8, 07] .text C:\Windows\System32\svchost.exe[2752] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007f809cd1b32 4 bytes [CD, 09, F8, 07] .text C:\Windows\System32\svchost.exe[2752] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007f809cd1b3a 4 bytes [CD, 09, F8, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2772] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f815b1177a 4 bytes [B1, 15, F8, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2772] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f815b11782 4 bytes [B1, 15, F8, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2772] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2772] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2772] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2844] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2844] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2844] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2844] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f815b1177a 4 bytes [B1, 15, F8, 07] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2844] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f815b11782 4 bytes [B1, 15, F8, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[3228] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f815b1177a 4 bytes [B1, 15, F8, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[3228] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f815b11782 4 bytes [B1, 15, F8, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[3228] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[3228] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Windows\system32\wbem\wmiprvse.exe[3228] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3800] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3800] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3800] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Windows\System32\igfxpers.exe[5088] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f815b1177a 4 bytes [B1, 15, F8, 07] .text C:\Windows\System32\igfxpers.exe[5088] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f815b11782 4 bytes [B1, 15, F8, 07] .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe[5064] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f815b1177a 4 bytes [B1, 15, F8, 07] .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe[5064] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f815b11782 4 bytes [B1, 15, F8, 07] .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[4504] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[4504] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Program Files (x86)\ASUS\ASUS Smart Gesture\QuickGesture\x64\QuickGesture64.exe[4504] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4872] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4872] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4872] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4716] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4716] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[4716] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Windows\System32\rundll32.exe[5264] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f811a21532 4 bytes [A2, 11, F8, 07] .text C:\Windows\System32\rundll32.exe[5264] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f811a2153a 4 bytes [A2, 11, F8, 07] .text C:\Windows\System32\rundll32.exe[5264] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f811a2165a 4 bytes [A2, 11, F8, 07] .text C:\Users\N56\Downloads\FRST64.exe[3068] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007f809cd1b32 4 bytes [CD, 09, F8, 07] .text C:\Users\N56\Downloads\FRST64.exe[3068] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007f809cd1b3a 4 bytes [CD, 09, F8, 07] .text C:\Users\N56\Downloads\FRST64.exe[3068] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f815b1177a 4 bytes [B1, 15, F8, 07] .text C:\Users\N56\Downloads\FRST64.exe[3068] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f815b11782 4 bytes [B1, 15, F8, 07] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [964:980] fffff9600097b5e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -459309463 ---- EOF - GMER 2.1 ----