GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-29 09:26:43 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003f ST500LT012-9WS142 rev.0001SDM1 465,76GB Running: 7uf2u991.exe; Driver: C:\Users\zbi1\AppData\Local\Temp\fxloypow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000251400 7 bytes [00, BA, 7E, 01, 00, 50, F2] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000251408 5 bytes [01, 40, BF, FF, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\FBAgent.exe[1280] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8e264177a 4 bytes [64, E2, F8, 07] .text C:\Windows\system32\FBAgent.exe[1280] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8e2641782 4 bytes [64, E2, F8, 07] .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\WSOCK32.dll!recvfrom + 742 000007f8d8761b32 4 bytes [76, D8, F8, 07] .text C:\Windows\system32\svchost.exe[976] C:\Windows\system32\WSOCK32.dll!recvfrom + 750 000007f8d8761b3a 4 bytes [76, D8, F8, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[2304] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8de8b1532 4 bytes [8B, DE, F8, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[2304] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8de8b153a 4 bytes [8B, DE, F8, 07] .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[2304] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8de8b165a 4 bytes [8B, DE, F8, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[3572] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8de8b1532 4 bytes [8B, DE, F8, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[3572] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8de8b153a 4 bytes [8B, DE, F8, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtTray.exe[3572] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8de8b165a 4 bytes [8B, DE, F8, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3660] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8de8b1532 4 bytes [8B, DE, F8, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3660] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8de8b153a 4 bytes [8B, DE, F8, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3660] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8de8b165a 4 bytes [8B, DE, F8, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3660] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 742 000007f8d8761b32 4 bytes [76, D8, F8, 07] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[3660] C:\Windows\SYSTEM32\WSOCK32.dll!recvfrom + 750 000007f8d8761b3a 4 bytes [76, D8, F8, 07] .text C:\Windows\system32\igfxpers.exe[3288] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8e264177a 4 bytes [64, E2, F8, 07] .text C:\Windows\system32\igfxpers.exe[3288] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8e2641782 4 bytes [64, E2, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3764] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8de8b1532 4 bytes [8B, DE, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3764] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8de8b153a 4 bytes [8B, DE, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3764] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8de8b165a 4 bytes [8B, DE, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3236] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8de8b1532 4 bytes [8B, DE, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3236] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8de8b153a 4 bytes [8B, DE, F8, 07] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3236] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8de8b165a 4 bytes [8B, DE, F8, 07] .text C:\Program Files\FAR3\Far.exe[3128] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8e264177a 4 bytes [64, E2, F8, 07] .text C:\Program Files\FAR3\Far.exe[3128] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8e2641782 4 bytes [64, E2, F8, 07] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [1964:1224] fffff9600094d5e8 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----