GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-13 09:19:19 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 rev. 0,00MB Running: gmer.exe; Driver: C:\Users\Mariola\AppData\Local\Temp\uwloypod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2732] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fca942177a 4 bytes [42, A9, FC, 07] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2732] C:\windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fca9421782 4 bytes [42, A9, FC, 07] .text C:\windows\System32\LogonUI.exe[5016] C:\windows\System32\MSIMG32.dll!GradientFill + 690 000007fca7481532 4 bytes [48, A7, FC, 07] .text C:\windows\System32\LogonUI.exe[5016] C:\windows\System32\MSIMG32.dll!GradientFill + 698 000007fca748153a 4 bytes [48, A7, FC, 07] .text C:\windows\System32\LogonUI.exe[5016] C:\windows\System32\MSIMG32.dll!TransparentBlt + 246 000007fca748165a 4 bytes [48, A7, FC, 07] .text C:\windows\Explorer.EXE[5592] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fca7481532 4 bytes [48, A7, FC, 07] .text C:\windows\Explorer.EXE[5592] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fca748153a 4 bytes [48, A7, FC, 07] .text C:\windows\Explorer.EXE[5592] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fca748165a 4 bytes [48, A7, FC, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[2600] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fca7481532 4 bytes [48, A7, FC, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[2600] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fca748153a 4 bytes [48, A7, FC, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[2600] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fca748165a 4 bytes [48, A7, FC, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3888] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fca7481532 4 bytes [48, A7, FC, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3888] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fca748153a 4 bytes [48, A7, FC, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3888] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fca748165a 4 bytes [48, A7, FC, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3964] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fca7481532 4 bytes [48, A7, FC, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3964] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fca748153a 4 bytes [48, A7, FC, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3964] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fca748165a 4 bytes [48, A7, FC, 07] .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\system32\USER32.dll!SetScrollInfo 000007fcab8869e0 5 bytes JMP 000007fd2b8a0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\system32\USER32.dll!GetScrollInfo 000007fcab890900 5 bytes JMP 000007fd2b8b0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\system32\USER32.dll!ShowScrollBar 000007fcab8a1520 5 bytes JMP 000007fd2b8f0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\system32\USER32.dll!SetScrollRange 000007fcab8aa590 5 bytes JMP 000007fd2b8c0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\system32\USER32.dll!SetScrollPos 000007fcab8abf50 5 bytes JMP 000007fd2b930018 .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\system32\USER32.dll!GetScrollPos 000007fcab8b2e90 5 bytes JMP 000007fd2b8e0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\system32\USER32.dll!EnableScrollBar 000007fcab8b33d0 5 bytes JMP 000007fd2b8d0018 .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\system32\USER32.dll!GetScrollRange 000007fcab8f5df8 5 bytes JMP 000007fd2b910018 .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fca7481532 4 bytes [48, A7, FC, 07] .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fca748153a 4 bytes [48, A7, FC, 07] .text C:\Program Files\CCleaner\CCleaner64.exe[3692] C:\windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fca748165a 4 bytes [48, A7, FC, 07] ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\svchost.exe [1176:3044] 000007fc9e981544 Thread C:\windows\system32\svchost.exe [1176:1436] 000007fc9e9655dc Thread C:\windows\system32\svchost.exe [1176:4028] 000007fca6231044 Thread C:\windows\system32\svchost.exe [1176:3164] 000007fca6234910 Thread C:\windows\system32\csrss.exe [4392:628] fffff960009215e8 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----