GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-23 20:22:54 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.PC4Z 465,76GB Running: qyrw2hqq.exe; Driver: C:\Users\Kuba\AppData\Local\Temp\afrcaaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076cf1401 2 bytes JMP 7702b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076cf1419 2 bytes JMP 7702b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076cf1431 2 bytes JMP 770a8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076cf144a 2 bytes CALL 770048ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076cf14dd 2 bytes JMP 770a87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076cf14f5 2 bytes JMP 770a8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076cf150d 2 bytes JMP 770a8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076cf1525 2 bytes JMP 770a8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076cf153d 2 bytes JMP 7701fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076cf1555 2 bytes JMP 770268ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076cf156d 2 bytes JMP 770a8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076cf1585 2 bytes JMP 770a8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076cf159d 2 bytes JMP 770a865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076cf15b5 2 bytes JMP 7701fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076cf15cd 2 bytes JMP 7702b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076cf16b2 2 bytes JMP 770a8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[1240] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076cf16bd 2 bytes JMP 770a85f1 C:\windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:1796] 0000000077b63e85 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:1820] 0000000077b62e65 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2164] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2168] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2172] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2176] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2180] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2184] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2188] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2192] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2196] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2200] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2204] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2208] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2212] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2756] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2640] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2644] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2548] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2544] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2528] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2824] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2768] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2876] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2280] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2260] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:1764] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2472] 0000000077b63e85 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2460] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2692] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2832] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:1780] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:1252] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2328] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2700] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2344] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2456] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:2448] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:3348] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:3340] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:3756] 0000000071e429e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1748:4540] 0000000071e429e1 Thread C:\windows\System32\svchost.exe [2244:2688] 000007fef8119688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\18f46af4d8fb Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\18f46af4d8fb (not active ControlSet) ---- EOF - GMER 2.1 ----