GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-24 22:22:33 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000028 ST500LT012-1DG142 rev.1003YAM1 465,76GB Running: swv8mf04.exe; Driver: C:\Users\AGNIES~1\AppData\Local\Temp\uxdorpod.sys ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!memcpy] [24748948f98b4800] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!_vscwprintf] [245c89804d894860] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!strchr] [c0850000162ee868] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!memset] [16de9c0330774] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!_initterm] [27f83660f755c3f] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!malloc] [4804478d4808755c] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!free] [1b0958d48804589] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!_amsg_exit] [91e8804d8d480000] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!_XcptFilter] [480c79c085fffffd] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!wcsrchr] [1607e860244c8b] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!_wcsnicmp] [48807d8b48bfeb00] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!_vsnwprintf] [f1660d8d48a0458d] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!_wcsicmp] [483024448948ffff] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!??2@YAPEAX_K@Z] [48c933456824448d] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!wcschr] [48c0334528244489] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[msvcrt.dll!??3@YAXPEAX@Z] [ff2024748948d78b] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[SPP.dll!SxTracerDebuggerBreak] [c4334800002de305] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[SPP.dll!SppFreeGroupPropArray] [4c000005d0858948] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[SPP.dll!SxTracerGetThreadContextRetail] [95058d4c60244c8d] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[SPP.dll!SxTracerShouldTrackFailure] [f1d6158d48fffff1] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetCurrentThreadId] [74894c2824748944] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetTickCount] [5f4815ff2024] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!RtlCaptureContext] [a5850fc085] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!RtlLookupFunctionEntry] [b1e9de8b41] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!RtlVirtualUnwind] [40244c8d4c0e8b48] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!UnhandledExceptionFilter] [c7d2334824448d4c] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [ff00000002482444] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetCurrentProcess] [75c08500005f1315] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!TerminateProcess] [5b94024448b487c] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!CreateFileW] [8b4cd78b48000001] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetCurrentThread] [c0854dde8b411840] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetCurrentProcessId] [818d48c72b4c2774] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!IsWow64Process] [74c085487ffffef9] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetDriveTypeW] [85661004b70f4140] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetVolumeInformationW] [83480289663674c0] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetDiskFreeSpaceExW] [ebde75c9ff4802c2] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!ExpandEnvironmentStringsW] [48c72b4c068b4c28] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!DeleteFileW] [85487ffffef9818d] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetSystemDirectoryW] [1004b70f411674c0] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!DeviceIoControl] [289660c74c08566] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetVolumePathNameW] [75c9ff4802c28348] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetVolumeNameForVolumeMountPointW] [83480975c98548de] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!QueryDosDeviceW] [668007007abb02ea] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!QueryPerformanceCounter] [7515ff14eb328944] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!Sleep] [cb81d8b70f00005e] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!CloseHandle] [4e0fc08580070000] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!FindClose] [4800005e5915ffd8] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetLastError] [74c9854840244c8b] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!FindNextFileW] [8500005e6115ff06] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!FindFirstFileW] [c38b3e89480378db] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [48000001208d8b48] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!LocalFree] [4c00000da1e8cc33] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!SetLastError] [4900000230249c8d] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!MultiByteToWideChar] [4938738b49305b8b] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetCommandLineW] [ccc35d5f5e41e38b] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!GetModuleFileNameW] [cccccccccccccccc] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[KERNEL32.dll!DisableThreadLibraryCalls] [4810588948c48b48] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!RegOpenKeyExW] [fed024ac8d485641] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!RegCreateKeyExW] [230ec8148ffff] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!RegCloseKey] [2fc0058b4800] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!ConvertStringSecurityDescriptorToSecurityDescriptorW] [120858948c43348] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!CreateWellKnownSid] [f18b48fa8b480000] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!SetNamedSecurityInfoW] [b9f6334580558d48] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!GetSecurityDescriptorDacl] [2474894c00000101] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!RegQueryValueExW] [8500005fb115ff40] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!RegSetValueExW] [5f9f15ff1974c0] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!RegDeleteTreeW] [cb81d8b70f00] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!RegDeleteValueW] [e9d84e0fc0858007] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!AllocateAndInitializeSid] [8d48d2330000012b] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!CheckTokenMembership] [443789446648244c] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!FreeSid] [22e6e830428d] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!DeregisterEventSource] [40244c8d4c0e8b48] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!ReportEventW] [48d2334824448d4c] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!RegisterEventSourceW] [4482444c7] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!AdjustTokenPrivileges] [6d15ff00000004bb] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!LookupPrivilegeValueW] [483975c08500005f] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!OpenProcessToken] [30245c8940244c8b] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[ADVAPI32.dll!OpenThreadToken] [518b00000105b941] IAT C:\Windows\system32\wbem\wmiprvse.exe[1216] @ C:\Windows\system32\SRCLIENT.dll[POWRPROF.dll!CallNtPowerInformation] [48fffffa18a88d48] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [652:672] fffff960008562d0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----