GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-29 13:00:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST31000528AS rev.CC38 931,51GB Running: 0e2vwthp.exe; Driver: C:\Users\Ewa\AppData\Local\Temp\pwtdipoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031a2000 16 bytes [8B, E3, 41, 5F, 41, 5E, 41, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 545 fffff800031a2011 35 bytes {LEA ECX, [RSP+0x70]; CALL 0x3d64f} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1916] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1916] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2420] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2420] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [2608] entry point in ".rdata" section 00000000737271e6 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin[3724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 .text C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe[4260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe[4260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a31465 2 bytes [A3, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a314bb 2 bytes [A3, 76] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:2012] 00000000774a3e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:2028] 00000000774a2e65 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1420] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1416] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1552] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1684] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1700] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1148] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1724] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1844] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1880] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1548] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1444] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1452] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1440] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1436] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1428] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1360] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:1332] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:2780] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:2784] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:2788] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:3052] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:3024] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:3076] 00000000774a3e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:3292] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:3540] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:3588] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:3592] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:3596] 00000000742a29e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1956:3932] 00000000742a29e1 Thread C:\Windows\System32\svchost.exe [3248:1228] 000007fefb029688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\74-ea-3a-b8-ed-f0@TeredoAddress 2001:0:5ef5:79fd:3d:c6d0:e049:372 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 373181 ---- EOF - GMER 2.1 ----