GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-27 16:22:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: pytdpgbz.exe; Driver: C:\Users\Beate\AppData\Local\Temp\uwdiipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4448] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000072a413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4448] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000072a4146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4448] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000072a416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4448] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000072a419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4448] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000072a419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4448] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072a41a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000072a413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000072a4146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000072a416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000072a419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000072a419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4064] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072a41a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2168] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000072a413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2168] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000072a4146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2168] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000072a416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2168] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000072a419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2168] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000072a419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2168] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072a41a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000072a413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000072a4146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000072a416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000072a419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000072a419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4184] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072a41a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 00000000777613ef 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 500 0000000077761544 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 00000000777618ce 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 212 0000000077761ba8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000077761d25 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000077761e8f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 89 0000000077761f75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 680 0000000077762238 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 531 0000000077762683 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 00000000777626a0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 00000000777626c2 8 bytes {JMP 0x10} .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 000000007776271f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 184 0000000077762788 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 4 .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000077762b4b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 375 0000000077762b97 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 000000007776306b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 920 00000000777631f8 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 000000007776388e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 00000000777638e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 00000000777639b5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000077763f50 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 161 0000000077764001 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetNameFromLangInfoNode + 277 0000000077764075 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 3 .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 214 00000000777641b6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlpIsQualifiedLanguage + 276 00000000777641f4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 609 0000000077764461 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 284 000000007776464c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberOfSetBitsUlongPtr + 483 0000000077764713 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 231 0000000077764807 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!TpWaitForWait + 518 0000000077764926 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text ... * 2 .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256 0000000077764a50 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67 0000000077764aa3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContextEx + 501 0000000077764ca5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateUserThread + 256 0000000077764ea0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringExW + 247 0000000077764fa7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlIpv6AddressToStringW + 483 0000000077765193 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseAlpcCompletion + 438 0000000077765f46 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!EtwEventProviderEnabled + 198 0000000077766016 8 bytes [70, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!atol + 194 000000007776610e 8 bytes [60, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!qsort + 76 00000000777662fc 8 bytes [50, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupElementGenericTableFullAvl + 45 000000007776633d 8 bytes [40, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 4 0000000077766354 8 bytes [30, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlNumberGenericTableElementsAvl + 92 00000000777663ac 8 bytes [20, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 790 0000000077766b76 8 bytes [10, 6C, F8, 7E, 00, 00, 00, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000777adc80 8 bytes {JMP QWORD [RIP-0x47949]} .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00000000777ade00 8 bytes {JMP QWORD [RIP-0x47ab2]} .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000777ade30 8 bytes {JMP QWORD [RIP-0x47e20]} .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777adf50 8 bytes {JMP QWORD [RIP-0x47c5a]} .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000777ae000 8 bytes {JMP QWORD [RIP-0x47ef8]} .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000777ae630 8 bytes {JMP QWORD [RIP-0x47102]} .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000777ae880 8 bytes {JMP QWORD [RIP-0x47d10]} .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000777af0e0 8 bytes {JMP QWORD [RIP-0x48d3a]} .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 0000000072a413cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 0000000072a4146b 8 bytes {JMP 0xffffffffffffffb0} .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 0000000072a416d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 0000000072a419db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 0000000072a419fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Beate\Desktop\pytdpgbz.exe[8020] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 0000000072a41a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004e91ec0] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\a4db306710c4 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\a4db306710c4 (not active ControlSet) ---- EOF - GMER 2.1 ----