GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-10 10:22:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Intel___ rev.1.0. 931,51GB Running: pikvu7zr.exe; Driver: d:\Temp\axldafow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000e5200 7 bytes [C0, 73, F3, FF, 41, 83, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e5208 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075f78781 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076981401 2 bytes JMP 75f9b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076981419 2 bytes JMP 75f9b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076981431 2 bytes JMP 76018fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007698144a 2 bytes CALL 75f7489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000769814dd 2 bytes JMP 760188c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000769814f5 2 bytes JMP 76018aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007698150d 2 bytes JMP 760187ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076981525 2 bytes JMP 76018b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007698153d 2 bytes JMP 75f8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076981555 2 bytes JMP 75f968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007698156d 2 bytes JMP 76019089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076981585 2 bytes JMP 76018bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007698159d 2 bytes JMP 7601877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000769815b5 2 bytes JMP 75f8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000769815cd 2 bytes JMP 75f9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000769816b2 2 bytes JMP 76018f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1740] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000769816bd 2 bytes JMP 76018713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076981401 2 bytes JMP 75f9b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076981419 2 bytes JMP 75f9b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076981431 2 bytes JMP 76018fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007698144a 2 bytes CALL 75f7489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000769814dd 2 bytes JMP 760188c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000769814f5 2 bytes JMP 76018aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007698150d 2 bytes JMP 760187ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076981525 2 bytes JMP 76018b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007698153d 2 bytes JMP 75f8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076981555 2 bytes JMP 75f968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007698156d 2 bytes JMP 76019089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076981585 2 bytes JMP 76018bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007698159d 2 bytes JMP 7601877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000769815b5 2 bytes JMP 75f8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000769815cd 2 bytes JMP 75f9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000769816b2 2 bytes JMP 76018f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2124] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000769816bd 2 bytes JMP 76018713 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:1104] 0000000077cc27c1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:1212] 0000000077cac557 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:1728] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:184] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:1928] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:1352] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:1332] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:1308] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:1380] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:1348] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2052] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2056] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2060] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2064] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2068] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2072] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2076] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2092] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2096] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2112] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2284] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2288] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2292] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2660] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2664] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2668] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2672] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2680] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2684] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2760] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2788] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:2796] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3000] 0000000077cc27c1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3228] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3232] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3240] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3244] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3248] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3308] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3432] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3912] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3916] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [1344:3408] 00000000752029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2084] 0000000077cc27c1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2296] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2300] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2312] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2316] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2320] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2324] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2328] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2332] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2340] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2344] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2348] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2352] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2356] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2360] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2364] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2368] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2408] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2420] 0000000077cc27c1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2432] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2436] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2440] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2444] 0000000077cac557 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2448] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2452] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2456] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2460] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2520] 0000000042cfa9d0 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2528] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2584] 0000000042cf26bb Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2588] 0000000042cf2820 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2592] 0000000042cf2920 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2596] 0000000042cf7ccf Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2600] 0000000075bbf5e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [1124:2604] 0000000075bbf5e1 ---- EOF - GMER 2.1 ----