GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-29 23:53:59 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d ST9500325AS rev.0001SDM1 465,76GB Running: uk1vkeuf.exe; Driver: C:\Users\ZOOZKA\AppData\Local\Temp\kgldrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffd27bd28c0 7 bytes JMP 00007ffe277d02d0 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffd27bd43d8 7 bytes JMP 00007ffe277d0308 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffd27c81f20 7 bytes JMP 00007ffe277d0378 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffd27c840b4 7 bytes JMP 00007ffe277d03b0 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffd27c84510 7 bytes JMP 00007ffe277d0340 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffd27c84af0 7 bytes JMP 00007ffe277d0260 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffd27cacea0 7 bytes JMP 00007ffe277d0228 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffd27cacf10 7 bytes JMP 00007ffe277d0298 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffd277e299c 7 bytes JMP 00007ffe277d00d8 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffd277e54c8 5 bytes JMP 00007ffe277d0180 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffd277e55b0 5 bytes JMP 00007ffe277d0148 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffd277e5e58 5 bytes JMP 00007ffe277d0110 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffd27fb7834 10 bytes JMP 00007ffe277d0490 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffd27fbb4d0 5 bytes JMP 00007ffe277d0420 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffd27fbc6d8 5 bytes JMP 00007ffe277d0458 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffd27fbe39c 9 bytes JMP 00007ffe277d03e8 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffd27db1500 8 bytes JMP 00007ffe277d01b8 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffd27db1750 8 bytes JMP 00007ffe277d01f0 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffd25ba7a88 5 bytes JMP 00007ffe259f0110 .text C:\WINDOWS\system32\dwm.exe[1080] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffd25bb4990 5 bytes JMP 00007ffe259f00d8 .text C:\WINDOWS\system32\nvvsvc.exe[1340] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd29bc169a 4 bytes [BC, 29, FD, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[1340] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd29bc16a2 4 bytes [BC, 29, FD, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[1340] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd29bc181a 4 bytes [BC, 29, FD, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[1340] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd29bc1832 4 bytes [BC, 29, FD, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2068] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffd29bc169a 4 bytes [BC, 29, FD, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2068] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffd29bc16a2 4 bytes [BC, 29, FD, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2068] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ffd29bc181a 4 bytes [BC, 29, FD, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2068] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ffd29bc1832 4 bytes [BC, 29, FD, 7F] .text E:\programy\avg\avgemca.exe[3208] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Program Files\Classic Shell\ClassicStartMenu.exe[852] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\Explorer.EXE[2084] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\taskhostex.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4444] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[4168] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\svchost.exe[4304] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4972] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4384] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\igfxEM.exe[4408] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\igfxHK.exe[1148] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\igfxTray.exe[5196] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\System32\svchost.exe[5396] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[5504] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Windows\System32\WUDFHost.exe[5208] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\SearchIndexer.exe[6080] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5232] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe[5676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\igfxext.exe[4252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6056] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd29bc169a 4 bytes [BC, 29, FD, 7F] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6056] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd29bc16a2 4 bytes [BC, 29, FD, 7F] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6056] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd29bc181a 4 bytes [BC, 29, FD, 7F] .text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6056] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd29bc1832 4 bytes [BC, 29, FD, 7F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[7152] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\system32\DllHost.exe[6496] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[6480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[6480] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffd0eae1f6a 4 bytes [AE, 0E, FD, 7F] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[6480] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffd0eae1f82 4 bytes [AE, 0E, FD, 7F] .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[7108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7668] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffd0eae1f6a 4 bytes [AE, 0E, FD, 7F] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[7668] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffd0eae1f82 4 bytes [AE, 0E, FD, 7F] .text C:\WINDOWS\system32\svchost.exe[5432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\WINDOWS\splwow64.exe[3900] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 .text C:\Windows\System32\RuntimeBroker.exe[4228] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd2b401a10 5 bytes JMP 00007ffe1e271000 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [1000:1016] fffff96000860b90 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:2916] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:2920] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:2924] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:2928] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:2932] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:2936] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:2940] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:2944] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:2948] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:2952] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3088] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3092] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3096] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3128] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3132] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3136] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3144] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3148] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3152] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3160] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3164] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3168] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3188] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3192] 0000000076fa55dc Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3196] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3244] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3248] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3316] 00000000743729e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2800:3472] 00000000743729e1 ---- Processes - GMER 2.1 ---- Library C:\Program Files\WindowsApps\Microsoft.SkypeApp_3.1.0.1007_x86__kzf8qxf38zg5c\Microsoft.PerfTrack.dll (*** suspicious ***) @ C:\WINDOWS\syswow64\wwahost.exe [5488] (Microsoft.PerfTrack.dll/Microsoft Corporation)(2014-09-24 14:55:32) 0000000064860000 Library C:\Program Files\WindowsApps\Microsoft.SkypeApp_3.1.0.1007_x86__kzf8qxf38zg5c\LibWrap.dll (*** suspicious ***) @ C:\WINDOWS\syswow64\wwahost.exe [5488] (Microsoft Skype/Microsoft Corporation)(2014-12-15 09:22:02) 000000005dca0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----