GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-02 00:50:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Intel___ rev.1.0. 931,51GB Running: gmer.exe; Driver: R:\TEMPOR~1\uxlyapog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff880059cad8c 12 bytes {MOV RAX, 0xfffffa800cb8a2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076db1401 2 bytes JMP 7599b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076db1419 2 bytes JMP 7599b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076db1431 2 bytes JMP 75a18f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076db144a 2 bytes CALL 7597489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076db14dd 2 bytes JMP 75a18822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076db14f5 2 bytes JMP 75a189f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076db150d 2 bytes JMP 75a18718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076db1525 2 bytes JMP 75a18ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076db153d 2 bytes JMP 7598fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076db1555 2 bytes JMP 759968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076db156d 2 bytes JMP 75a18fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076db1585 2 bytes JMP 75a18b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076db159d 2 bytes JMP 75a186dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076db15b5 2 bytes JMP 7598fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076db15cd 2 bytes JMP 7599b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076db16b2 2 bytes JMP 75a18ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3476] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076db16bd 2 bytes JMP 75a18671 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001081f1c] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001081cc0] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800108269c] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001082a98] \SystemRoot\System32\Drivers\sptd.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010828f4] \SystemRoot\System32\Drivers\sptd.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80077962c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800cb902c0 Device \Driver\mvs91xx \Device\RaidPort0 fffffa80077922c0 Device \Driver\cdrom \Device\CdRom0 fffffa800c9dd2c0 Device \Driver\mvs91xx \Device\00000075 fffffa80077922c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800cb902c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{E752E66C-B919-4760-9FCA-802FE3580466} fffffa800ca902c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800cb902c0 Device \Driver\mvs91xx \Device\00000076 fffffa80077922c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800ca902c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800cb902c0 Device \Driver\mvs91xx \Device\ScsiPort1 fffffa80077922c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1060:1920] 000007feed614f84 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [784:5748] 000007fefbd42bf8 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2520:5236] 00000000755b7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2520:5100] 0000000073618aa6 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2520:748] 0000000077c21415 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2520:2368] 0000000077c32855 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2520:400] 0000000077c32855 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2520:3004] 0000000077c32855 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4B 0x0E 0x54 0xFB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4B 0x0E 0x54 0xFB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD4 0xEF 0x78 0x41 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB1 0xE5 0xA7 0x09 ... ---- EOF - GMER 2.1 ----