GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-12 16:33:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500423AS rev.0005DEM1 465,76GB Running: nzvtzk2q.exe; Driver: C:\Users\arn\AppData\Local\Temp\uxriapow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff800031ae000 93 bytes [89, 6C, 24, 70, E9, 4B, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 638 fffff800031ae05e 57 bytes [05, 05, 20, 1B, 00, 49, 8D, ...] ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\ntdll.dll [1916:1932] 00000000012dc28f Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2700] 0000000077c33e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2736] 0000000077c32e65 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2744] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2748] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2752] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2756] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2760] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2764] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2768] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2772] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2776] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2780] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2792] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2796] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:2856] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3300] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3304] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3316] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3324] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3328] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3332] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3336] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3340] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3712] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3744] 0000000077c33e85 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3748] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3856] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3872] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3884] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:3888] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:1160] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:612] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:256] 0000000071e629e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.ECSQLEXPRESS\MSSQL\Binn\sqlservr.exe [2264:5076] 0000000071e629e1 Thread C:\Windows\SysWOW64\ntdll.dll [2144:2240] 0000000000bab62e Thread C:\Windows\SysWOW64\ntdll.dll [2144:3188] 0000000073b932fb Thread C:\Windows\SysWOW64\ntdll.dll [3344:3348] 0000000000ba13a7 Thread C:\Windows\SysWOW64\ntdll.dll [3368:3372] 0000000000a298ce Thread C:\Windows\SysWOW64\ntdll.dll [3368:3592] 000000006819786a Thread C:\Windows\SysWOW64\ntdll.dll [3368:3600] 0000000067e9d80c Thread C:\Windows\SysWOW64\ntdll.dll [3368:4292] 0000000073b932fb ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289b9b404 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289b9b404@8844f683ee5d 0xB8 0xB9 0xE0 0xFF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289b9b404@2c54cf3b9764 0x87 0xEC 0x54 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x05 0x16 0x3F 0xF1 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289b9b404 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289b9b404@8844f683ee5d 0xB8 0xB9 0xE0 0xFF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289b9b404@2c54cf3b9764 0x87 0xEC 0x54 0xD1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x05 0x16 0x3F 0xF1 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@\2:\Users\arn\Downloads\Unlocker1.9.2 (2).exe 1 ---- EOF - GMER 2.1 ----