GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-26 12:54:22 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 rev. 0,00MB Running: 8hftgnq7.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\uwliqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe[1948] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc9f83169a 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe[1948] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc9f8316a2 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe[1948] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc9f83181a 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe[1948] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc9f831832 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2516] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc9f83169a 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2516] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc9f8316a2 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2516] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc9f83181a 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2516] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc9f831832 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2368] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffc9f83169a 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2368] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffc9f8316a2 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2368] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ffc9f83181a 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2368] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ffc9f831832 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc9f83169a 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc9f8316a2 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc9f83181a 4 bytes [83, 9F, FC, 7F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4892] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc9f831832 4 bytes [83, 9F, FC, 7F] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4932] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffc9f83169a 4 bytes [83, 9F, FC, 7F] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4932] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffc9f8316a2 4 bytes [83, 9F, FC, 7F] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4932] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffc9f83181a 4 bytes [83, 9F, FC, 7F] .text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[4932] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffc9f831832 4 bytes [83, 9F, FC, 7F] .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffc9f8d0e30 5 bytes JMP 00007ffd1fa00460 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffc9f8d0e80 5 bytes JMP 00007ffd1fa00450 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffc9f8d0fe0 1 byte JMP 00007ffd1fa00370 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffc9f8d0fe2 3 bytes {JMP 0xffffffff8012f390} .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffc9f8d1030 5 bytes JMP 00007ffd1fa00470 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffc9f8d1040 5 bytes JMP 00007ffd1fa003e0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffc9f8d10f0 5 bytes JMP 00007ffd1fa00320 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffc9f8d1120 1 byte JMP 00007ffd1fa003b0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffc9f8d1122 3 bytes {JMP 0xffffffff8012f290} .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffc9f8d1140 5 bytes JMP 00007ffd1fa00390 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffc9f8d1180 5 bytes JMP 00007ffd1fa002e0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffc9f8d1200 5 bytes JMP 00007ffd1fa002d0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffc9f8d1220 5 bytes JMP 00007ffd1fa00310 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffc9f8d1260 5 bytes JMP 00007ffd1fa003c0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffc9f8d12b0 5 bytes JMP 00007ffd1fa003f0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffc9f8d1410 5 bytes JMP 00007ffd1fa00230 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffc9f8d1600 5 bytes JMP 00007ffd1fa00480 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffc9f8d1630 5 bytes JMP 00007ffd1fa003a0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffc9f8d1750 5 bytes JMP 00007ffd1fa002f0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffc9f8d1770 5 bytes JMP 00007ffd1fa00350 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffc9f8d17e0 5 bytes JMP 00007ffd1fa00290 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffc9f8d1870 5 bytes JMP 00007ffd1fa002b0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffc9f8d1890 5 bytes JMP 00007ffd1fa003d0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffc9f8d18a0 1 byte JMP 00007ffd1fa00330 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffc9f8d18a2 3 bytes {JMP 0xffffffff8012ea90} .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffc9f8d1950 5 bytes JMP 00007ffd1fa00410 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffc9f8d1980 5 bytes JMP 00007ffd1fa00240 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffc9f8d1ca0 5 bytes JMP 00007ffd1fa001e0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffc9f8d1d60 5 bytes JMP 00007ffd1fa00250 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffc9f8d1d90 5 bytes JMP 00007ffd1fa00490 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffc9f8d1da0 5 bytes JMP 00007ffd1fa004a0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffc9f8d1dd0 5 bytes JMP 00007ffd1fa00300 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffc9f8d1de0 5 bytes JMP 00007ffd1fa00360 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffc9f8d1e40 5 bytes JMP 00007ffd1fa002a0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffc9f8d1e90 5 bytes JMP 00007ffd1fa002c0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffc9f8d1ec0 5 bytes JMP 00007ffd1fa00380 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffc9f8d1ed0 5 bytes JMP 00007ffd1fa00340 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffc9f8d21e0 5 bytes JMP 00007ffd1fa00440 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffc9f8d23e0 5 bytes JMP 00007ffd1fa00260 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffc9f8d23f0 5 bytes JMP 00007ffd1fa00270 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffc9f8d2410 5 bytes JMP 00007ffd1fa00400 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffc9f8d25f0 5 bytes JMP 00007ffd1fa001f0 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffc9f8d2600 5 bytes JMP 00007ffd1fa00210 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffc9f8d2690 5 bytes JMP 00007ffd1fa00200 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffc9f8d2700 5 bytes JMP 00007ffd1fa00420 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffc9f8d2710 5 bytes JMP 00007ffd1fa00430 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffc9f8d2720 5 bytes JMP 00007ffd1fa00220 .text C:\Windows\system32\AUDIODG.EXE[4916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffc9f8d2830 5 bytes JMP 00007ffd1fa00280 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [604:612] fffff960008bfb90 Thread [1296:1604] 0000000077854b70 Thread [1296:1608] 0000000074e1f28e Thread [1296:1616] 0000000077854b70 Thread [1296:1620] 00000000752e78a0 Thread [1296:1780] 0000000073bac120 Thread [1296:2120] 0000000073f7b330 Thread [1296:2124] 0000000073f7a5a0 Thread [1296:2332] 0000000074e1f28e Thread [1296:2448] 0000000077854b70 Thread [1296:2460] 00000000761c6241 Thread [1296:2624] 0000000073f659d0 Thread [1296:2628] 0000000073f659d0 Thread [1296:2632] 0000000073f659d0 Thread [1296:2636] 0000000073f659d0 Thread [1296:2640] 0000000073f659d0 Thread [1296:2644] 0000000073f659d0 Thread [1296:2648] 0000000073f659d0 Thread [1296:2652] 0000000073f659d0 Thread [1296:2656] 0000000073f659d0 Thread [1296:2660] 0000000073f66a20 Thread [1296:2664] 0000000073f66a20 Thread [1296:2668] 0000000073f65f80 Thread [1296:2672] 0000000073fc4ed0 Thread [1296:2676] 0000000073fc3cc0 Thread [1296:2680] 0000000073fc4140 Thread [1296:2684] 0000000073f68eb0 Thread [1296:2688] 0000000073f68eb0 Thread [1296:2692] 0000000073f68eb0 Thread [1296:2696] 0000000073f68eb0 Thread [1296:2700] 0000000073f68eb0 Thread [1296:2704] 0000000073f68eb0 Thread [1296:2708] 0000000073f68eb0 Thread [1296:2712] 0000000073f68eb0 Thread [1296:2716] 0000000073f68eb0 Thread [1296:2720] 0000000073f68ba0 Thread [1296:2724] 0000000073131080 Thread [1296:2740] 00000000730f14b0 Thread [1296:2744] 00000000730f54c0 Thread [1296:2748] 00000000730f54c0 Thread [1296:2772] 0000000073f7c340 Thread [1296:2776] 0000000073f68290 Thread [1296:2788] 0000000074e1f28e Thread [1296:2808] 000000007303bf19 Thread [1296:2812] 0000000073fe4a80 Thread [1296:2840] 0000000073f07840 Thread [1296:2844] 00000000731316d0 Thread [1296:2884] 0000000072cbb270 Thread [1296:2904] 0000000074e1f28e Thread [1296:2916] 00000000740ef5a0 Thread [1296:2920] 00000000740f2560 Thread [1296:2924] 0000000074e1f28e Thread [1296:2976] 0000000074e1f28e Thread [1296:2980] 0000000074e1f28e Thread [1296:2984] 0000000074e1f28e Thread [1296:2988] 0000000074e1f28e Thread [1296:2992] 0000000074e1f28e Thread [1296:2996] 0000000074e1f28e Thread [1296:3000] 0000000074e1f28e Thread [1296:3004] 0000000074e1f28e Thread [1296:3008] 0000000074e1f28e Thread [1296:3012] 0000000074e1f28e Thread [1296:3016] 0000000074e1f28e Thread [1296:3036] 0000000072bc83a0 Thread [1296:3040] 0000000072bc83a0 Thread [1296:3044] 0000000072bc83a0 Thread [1296:3048] 0000000072bc83a0 Thread [1296:3052] 0000000072bc83a0 Thread [1296:3056] 0000000072bc83a0 Thread [1296:3060] 0000000072bc83a0 Thread [1296:3064] 0000000072bc83a0 Thread [1296:3068] 0000000072bc83a0 Thread [1296:1976] 0000000072bc83a0 Thread [1296:416] 0000000074e1f28e Thread [1296:2320] 00000000740063c0 Thread [1296:2868] 0000000074e1f28e Thread [1296:3128] 0000000074e1f28e Thread [1296:3184] 0000000074e1f28e Thread [1296:3188] 0000000074e1f28e Thread [1296:4796] 0000000074e1f28e Thread [1296:5468] 0000000074e1f28e Thread [1296:5488] 0000000077854b70 Thread [1296:5608] 0000000077854b70 Thread [1296:5632] 0000000072cd0c30 Thread [1296:1872] 0000000072d4a4c5 Thread [1296:4656] 0000000077854b70 Thread [1296:5656] 0000000074e1f28e Thread [1296:3124] 0000000077854b70 Thread [1296:4652] 00000000754462d0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----