GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-07 22:18:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Intel___ rev.1.0. 1400,00GB Running: rnhklxcw.exe; Driver: C:\Users\ja\AppData\Local\Temp\uglcyaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000077911401 2 bytes JMP 76f2b23b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000077911419 2 bytes JMP 76f2b366 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000077911431 2 bytes JMP 76fa8971 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007791144a 2 bytes CALL 76f048e5 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000779114dd 2 bytes JMP 76fa826a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000779114f5 2 bytes JMP 76fa8440 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007791150d 2 bytes JMP 76fa8160 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077911525 2 bytes JMP 76fa852a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007791153d 2 bytes JMP 76f1fcd8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000077911555 2 bytes JMP 76f2691f C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007791156d 2 bytes JMP 76fa8a29 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000077911585 2 bytes JMP 76fa858a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007791159d 2 bytes JMP 76fa8124 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000779115b5 2 bytes JMP 76f1fd71 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000779115cd 2 bytes JMP 76f2b2fc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000779116b2 2 bytes JMP 76fa88ec C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2080] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000779116bd 2 bytes JMP 76fa80b9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077911401 2 bytes JMP 76f2b23b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077911419 2 bytes JMP 76f2b366 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077911431 2 bytes JMP 76fa8971 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007791144a 2 bytes CALL 76f048e5 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000779114dd 2 bytes JMP 76fa826a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000779114f5 2 bytes JMP 76fa8440 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007791150d 2 bytes JMP 76fa8160 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077911525 2 bytes JMP 76fa852a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007791153d 2 bytes JMP 76f1fcd8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077911555 2 bytes JMP 76f2691f C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007791156d 2 bytes JMP 76fa8a29 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077911585 2 bytes JMP 76fa858a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007791159d 2 bytes JMP 76fa8124 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000779115b5 2 bytes JMP 76f1fd71 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000779115cd 2 bytes JMP 76f2b2fc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000779116b2 2 bytes JMP 76fa88ec C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe[2824] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000779116bd 2 bytes JMP 76fa80b9 C:\Windows\syswow64\KERNEL32.dll ---- Processes - GMER 2.1 ---- Library C:\Users\ja\AppData\Local\Microsoft\Windows Sidebar\Gadgets\Network_Meter_V8.5.gadget\netlib.dll (*** suspicious ***) @ C:\Program Files\Windows Sidebar\sidebar.exe [1496] (NIC Information .NET Wrapper/Jonathan Abbott)(2013-08-04 19:58:36) 0000000068510000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????????????&??machine.inf:GENDEV_SYS.NTamd64:NO_DRV_X_PNP:6.1.7601.17514:*pnp0a06?????Rozszerzona magistrala we/wy????? ???????j????????????????????????A???????M?????? ??????????????????????????????N??????????????????????????????????????????s????????????????????LegacyDriver??????N???????????D?????{8ECC055D-047F-11D1-A537-0000F8753ED1}??????? ???`?????????????????????????? %??{4d36e972-e325-11ce-bfc1-08002be10318}\0018?????@netvwifimp.inf,%msft%;Microsoft??????????????????????????????????P??????????????d??????? ???????j????????????????????????N??????????C??????????????????????? ??????????????????????????????N???????dr???????i???????e???????&??????????????????C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe??????????????????????????? ??????????????????LocalSystem??????~??????????????????C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe?i\v??????????????????????? ???????7?????????????0????????????????????? ?????????????????????0????????????????????machine.inf?????%Sy Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x93 0xC8 0xAE 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x74 0x5A 0x3E 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDC 0xFF 0x1F 0x41 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x93 0xC8 0xAE 0xC0 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x74 0x5A 0x3E 0x8F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDC 0xFF 0x1F 0x41 ... ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\RAC\Temp\sql36A.tmp 20480 bytes File C:\ProgramData\Microsoft\RAC\Temp\sql37A.tmp 20480 bytes ---- EOF - GMER 2.1 ----