GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-19 12:53:17 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000039 Samsung_SSD_840_PRO_Series rev.DXM05B0Q 119,24GB Running: gmer.exe; Driver: C:\Users\AG\AppData\Local\Temp\uwrorpod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\dwm.exe[2088] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffcdac7169a 4 bytes [C7, DA, FC, 7F] .text C:\Windows\System32\dwm.exe[2088] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffcdac716a2 4 bytes [C7, DA, FC, 7F] .text C:\Windows\System32\dwm.exe[2088] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffcdac7181a 4 bytes [C7, DA, FC, 7F] .text C:\Windows\System32\dwm.exe[2088] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffcdac71832 4 bytes [C7, DA, FC, 7F] .text C:\Windows\system32\nvvsvc.exe[3328] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffcdac7169a 4 bytes [C7, DA, FC, 7F] .text C:\Windows\system32\nvvsvc.exe[3328] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffcdac716a2 4 bytes [C7, DA, FC, 7F] .text C:\Windows\system32\nvvsvc.exe[3328] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffcdac7181a 4 bytes [C7, DA, FC, 7F] .text C:\Windows\system32\nvvsvc.exe[3328] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffcdac71832 4 bytes [C7, DA, FC, 7F] .text C:\Windows\system32\nvwmi64.exe[6608] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffcdac7169a 4 bytes [C7, DA, FC, 7F] .text C:\Windows\system32\nvwmi64.exe[6608] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffcdac716a2 4 bytes [C7, DA, FC, 7F] .text C:\Windows\system32\nvwmi64.exe[6608] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffcdac7181a 4 bytes [C7, DA, FC, 7F] .text C:\Windows\system32\nvwmi64.exe[6608] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffcdac71832 4 bytes [C7, DA, FC, 7F] .text C:\Windows\Explorer.EXE[1832] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffcdac7169a 4 bytes [C7, DA, FC, 7F] .text C:\Windows\Explorer.EXE[1832] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffcdac716a2 4 bytes [C7, DA, FC, 7F] .text C:\Windows\Explorer.EXE[1832] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffcdac7181a 4 bytes [C7, DA, FC, 7F] .text C:\Windows\Explorer.EXE[1832] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffcdac71832 4 bytes [C7, DA, FC, 7F] ---- Devices - GMER 2.1 ---- Device \Driver\axscsidrv \Device\Scsi\axscsidrv1 ffffe001dbabc2c0 Device \Driver\USBSTOR \Device\0000006a ffffe001db2022c0 Device \Driver\vhdmp \Device\00000058 ffffe001dbcc22c0 Device \Driver\storahci \Device\RaidPort0 ffffe001db2002c0 Device \Driver\vhdmp \Device\RaidPort1 ffffe001dbcc22c0 Device \Driver\cdrom \Device\CdRom0 ffffe001db3e52c0 Device \Driver\cdrom \Device\CdRom1 ffffe001db3e52c0 Device \Driver\storahci \Device\00000039 ffffe001db2002c0 Device \Driver\USBSTOR \Device\00000069 ffffe001db2022c0 Device \Driver\USBSTOR \Device\00000072 ffffe001db2022c0 Device \Driver\storahci \Device\ScsiPort0 ffffe001db2002c0 Device \Driver\USBSTOR \Device\00000073 ffffe001db2022c0 Device \Driver\axscsidrv \Device\ScsiPort1 ffffe001dbabc2c0 Device \Driver\vhdmp \Device\ScsiPort2 ffffe001dbcc22c0 Device \Driver\storahci \Device\0000003a ffffe001db2002c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xffffe001db2002c0]<< sptd.sys storport.sys hal.dll storahci.sys ffffe001db2002c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe001db453060] ffffe001db453060 Trace 3 CLASSPNP.SYS[fffff801967ab27b] -> nt!IofCallDriver -> [0xffffe001db1bbc10] ffffe001db1bbc10 Trace 5 ACPI.sys[fffff80195e1a7aa] -> nt!IofCallDriver -> [0xffffe001db1bbe50] ffffe001db1bbe50 Trace 7 ACPI.sys[fffff80195e1a7aa] -> nt!IofCallDriver -> \Device\00000039[0xffffe001db1bb060] ffffe001db1bb060 Trace \Driver\storahci[0xffffe001db1c1320] -> IRP_MJ_CREATE -> 0xffffe001db2002c0 ffffe001db2002c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [4092:7072] fffff9600098fb90 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2596] 000000006cca0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2596] 0000000067570000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2596] 0000000067450000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2596] 0000000066e10000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2596] 0000000066dc0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACECORE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2596] 0000000066b40000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\1045\ACEWSTR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2596] 0000000066a60000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACEES.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2596] 00000000669c0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\VBAJET32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2596] 0000000070280000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\expsrv.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2596] 0000000066960000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ????????????????????????C:\Windows\System32\Bits.bak????? ???????????????????????????????????????????????????????????K?C?K??%ProgramData%\Microsoft\RAC\*?%ProgramData%\Microsoft\RAC\StateData\*?%ProgramData%\Microsoft\RAC\Outbound\*?%ProgramData%\Microsoft\RAC\Temp\*??dData\*?%ProgramData%\Microsoft\RAC\Temp\*???????????????????????????L????????A????%windir%\softwaredistribution\*.* /s????? j?????????????????$UserProfile$\AppData\Local\Microsoft\Outlook\*.ost???????????????????e?????$AllVolumes$\System Volume Information\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}??????? ??????????????????$AllVolumes$\System Volume Information\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}.*???????????????E????$AllVolumes$\System Volume Information\FVE.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}???????? j?????????????????$UserProfile$\AppData\Local\Microsoft\Outlook\*.oab???????????????????C?????? ????????????????????????????????????????r?????? ????????S????K??????????L?????????????s??????????????????????????????????? ??????????? ?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1234797699 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD3 0x89 0x6F 0x70 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xCA 0xA7 0x85 0x46 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@HideFileExt 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@ShowSuperHidden 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0x8E 0x93 0xD9 0x24 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 124 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsBandwidthBucketDrainTime 0xA3 0x25 0xC3 0x05 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x7D 0x21 0xD7 0x08 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x7D 0x21 0xD7 0x08 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 77330 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherBandwidthBucketDrainTime 0x36 0x60 0x9E 0x0E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x7D 0x21 0xD7 0x08 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 78052 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalBandwidthBucketDrainTime 0x36 0x60 0x9E 0x0E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x7D 0x21 0xD7 0x08 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x23 0x50 0x14 0x26 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 12 Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationColor -1479393393 Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationColorBalance 73 Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationAfterglow -1479393393 Reg HKCU\Software\Microsoft\Windows\DWM@ColorizationBlurBalance 17 ---- EOF - GMER 2.1 ----