GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-30 00:38:03 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.D005 465,76GB Running: kdyz0p7o.exe; Driver: C:\Users\Kamila\AppData\Local\Temp\fwrdapog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800035bf000 72 bytes [3C, DC, 0A, 00, 49, 8D, 47, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 633 fffff800035bf049 42 bytes {SHL ECX, 0x4; ADD R13, RCX; MOV [RBP+0x18], RCX; MOV RCX, R13; CALL 0xfffffffffff00e57} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\mfevtps.exe[2552] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13f3eb9f0] C:\Windows\system32\mfevtps.exe ---- Threads - GMER 2.1 ---- Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2740] 00000000778b3e45 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2812] 00000000778b2e25 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2824] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2828] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2832] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2836] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2840] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2844] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2848] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2852] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2856] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2860] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2996] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:1688] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:1324] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:2084] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:1892] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:1776] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:3020] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:1480] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:3192] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:3196] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:3204] 00000000778b3e45 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:3220] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:3236] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:3416] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:3420] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:5780] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:4108] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:5864] 000000006d6329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2588:5868] 000000006d6329e1 Thread C:\Program Files (x86)\Internet Explorer\IELowutil.exe [4440:4652] 00000000778b2e25 Thread C:\Program Files (x86)\Internet Explorer\IELowutil.exe [4440:4780] 00000000778b3e45 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885b7f130 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885b7f130@74a722b70222 0x3C 0x2E 0xF3 0x4E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885b7f130@a4e731edc792 0x89 0xB1 0xAC 0xB9 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885b7f130 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885b7f130@74a722b70222 0x3C 0x2E 0xF3 0x4E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885b7f130@a4e731edc792 0x89 0xB1 0xAC 0xB9 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Program Files\Windows Defender\pl-PL\MpAsDesc.dll.mui 41472 bytes executable File C:\Program Files\Windows Defender\pl-PL\MpEvMsg.dll.mui 17920 bytes executable File C:\Program Files\Windows Defender\pl-PL\MsMpRes.dll.mui 53248 bytes executable ---- EOF - GMER 2.1 ----