GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-12 12:24:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545032B9A300 rev.PB3OC64G 298,09GB Running: gmer.exe; Driver: C:\Users\michal\AppData\Local\Temp\uwlorfow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800037ba000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800037ba02f 23 bytes [00, 00, 10, 00, 00, 00, 00, ...] PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff88000eab4a0 12 bytes {MOV RAX, 0xfffffa80024992a0; JMP RAX} .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004276d8c 12 bytes {MOV RAX, 0xfffffa800395d2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000759a1465 2 bytes [9A, 75] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[1856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759a14bb 2 bytes [9A, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010fc650] \SystemRoot\System32\Drivers\spga.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010fc5dc] \SystemRoot\System32\Drivers\spga.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010c735c] \SystemRoot\System32\Drivers\spga.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010c7224] \SystemRoot\System32\Drivers\spga.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010c7a24] \SystemRoot\System32\Drivers\spga.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010c7ba0] \SystemRoot\System32\Drivers\spga.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80031a32c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80031a32c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80031a32c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80031a32c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80031a32c0 Device \FileSystem\Ntfs \Ntfs fffffa80031a92c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa80039872c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa80038ee2c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa80038ee2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{816991A1-AA18-415E-BFF3-863CD6A304C8} fffffa80037052c0 Device \Driver\cdrom \Device\CdRom0 fffffa80037082c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa80038ee2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80038ee2c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa80039872c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{BD72C360-F2D3-4549-B644-B6C5D04289C3} fffffa80037052c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa80039872c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa80038ee2c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa80038ee2c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa800319f2c0 Device \Driver\volmgr \Device\FtControl fffffa800319f2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa800319f2c0 Device \Driver\volmgr \Device\VolMgrControl fffffa800319f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A1833001-ED2D-458B-8EAC-B06D32AE7ADA} fffffa80037052c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa800319f2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80037052c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80038ee2c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa80039872c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80031a32c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80038ee2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80031a32c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80031a32c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80031a32c0]<< spga.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80031a32c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80034a0530] fffffa80034a0530 Trace 3 CLASSPNP.SYS[fffff88001bba43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8003424060] fffffa8003424060 Trace \Driver\atapi[0xfffffa800323c550] -> IRP_MJ_CREATE -> 0xfffffa80031a32c0 fffffa80031a32c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1168:1540] 000007fef8a959a0 Thread C:\Windows\System32\svchost.exe [1168:1772] 000007fefb691a70 Thread C:\Windows\System32\svchost.exe [1168:3552] 000007fef6c744e0 Thread C:\Windows\System32\svchost.exe [1168:4656] 000007fef2213efc Thread C:\Windows\System32\svchost.exe [1168:4724] 000007fef25a8a4c Thread C:\Windows\System32\svchost.exe [1168:1308] 000007fef6f788f8 Thread C:\Windows\System32\svchost.exe [1168:5092] 000007fef6c8d710 Thread C:\Windows\System32\spoolsv.exe [1664:2268] 000007fef5a610c8 Thread C:\Windows\System32\spoolsv.exe [1664:2296] 000007fef5a26144 Thread C:\Windows\System32\spoolsv.exe [1664:2304] 000007fef5815fd0 Thread C:\Windows\System32\spoolsv.exe [1664:2308] 000007fef5803438 Thread C:\Windows\System32\spoolsv.exe [1664:2312] 000007fef58163ec Thread C:\Windows\System32\spoolsv.exe [1664:2324] 000007fef5af5e5c Thread C:\Windows\System32\spoolsv.exe [1664:2328] 000007fef5ba5074 Thread C:\Windows\system32\taskhost.exe [2056:2224] 000007fef6003d18 Thread C:\Windows\system32\taskhost.exe [2056:4736] 000007fef5cb5170 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1064:5072] 000007fefa1c2bf8 ---- Processes - GMER 2.1 ---- Process C:\Users\michal\AppData\Local\Temp\Rar$EXa0.857\gmer.exe (*** suspicious ***) @ C:\Users\michal\AppData\Local\Temp\Rar$EXa0.857\gmer.exe [5712](2014-10-12 08:43:08) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9FEF04E2-4A81-4BC0-AFF8-504A280BC9C9}\Connection@Name Po??czenie lokalne* 28 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{9FEF04E2-4A81-4BC0-AFF8-504A280BC9C9}?\Device\{21CFC137-92D8-4D34-B0F9-2D67AF6E60B3}?\Device\{B36B561E-FB92-4CEE-9DF7-A5018209FDF9}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{9FEF04E2-4A81-4BC0-AFF8-504A280BC9C9}"?"{21CFC137-92D8-4D34-B0F9-2D67AF6E60B3}"?"{B36B561E-FB92-4CEE-9DF7-A5018209FDF9}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{9FEF04E2-4A81-4BC0-AFF8-504A280BC9C9}?\Device\TCPIP6TUNNEL_{21CFC137-92D8-4D34-B0F9-2D67AF6E60B3}?\Device\TCPIP6TUNNEL_{B36B561E-FB92-4CEE-9DF7-A5018209FDF9}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167c6c34d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167c6c34d@0cddef500dcc 0x03 0x8A 0x98 0xD4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9FEF04E2-4A81-4BC0-AFF8-504A280BC9C9}@InterfaceName isatap.{816991A1-AA18-415E-BFF3-863CD6A304C8} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{9FEF04E2-4A81-4BC0-AFF8-504A280BC9C9}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC7 0x6B 0xCA 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x26 0x47 0x59 0x85 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x12 0x23 0xD8 0xB5 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167c6c34d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167c6c34d@0cddef500dcc 0x03 0x8A 0x98 0xD4 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC7 0x6B 0xCA 0x50 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x26 0x47 0x59 0x85 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x12 0x23 0xD8 0xB5 ... ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\RAC\Temp\sql839C.tmp 20480 bytes File C:\ProgramData\Microsoft\RAC\Temp\sql8478.tmp 20480 bytes ---- EOF - GMER 2.1 ----