GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-14 16:01:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: jbn1fo1r.exe; Driver: C:\Users\Filip\AppData\Local\Temp\ugloypod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003405000 63 bytes [00, 00, 0C, 02, 45, 74, 77, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 592 fffff80003405040 1 byte [01] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[336] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[772] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1852] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1996] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1092] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Windows\Explorer.EXE[1492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[1836] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2144] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2328] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f01465 2 bytes [F0, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f014bb 2 bytes [F0, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [2328] entry point in ".rdata" section 0000000074f371e6 .text C:\ProgramData\DatacardService\DCSHelper.exe[2544] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\USER32.dll!GetSysColor 00000000763c6c3c 5 bytes JMP 000000010045b9d0 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\USER32.dll!GetSysColorBrush 00000000763d35a4 5 bytes JMP 000000010045ba30 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\USER32.dll!GetScrollInfo 00000000763d4018 7 bytes JMP 000000010045b810 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\USER32.dll!SetScrollInfo 00000000763d40cf 7 bytes JMP 000000010045b8c0 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\USER32.dll!ShowScrollBar 00000000763d4162 5 bytes JMP 000000010045b990 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\USER32.dll!GetScrollPos 00000000763d4234 5 bytes JMP 000000010045b850 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\USER32.dll!SetScrollPos 00000000763d87a5 5 bytes JMP 000000010045b900 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\USER32.dll!EnableScrollBar 00000000763d8d3a 7 bytes JMP 000000010045b7d0 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\USER32.dll!GetScrollRange 00000000763d90c4 5 bytes JMP 000000010045b880 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\USER32.dll!SetScrollRange 00000000763ed50b 5 bytes JMP 000000010045b940 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f01465 2 bytes [F0, 76] .text C:\Program Files (x86)\blueconnect\blueconnect.exe[2832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f014bb 2 bytes [F0, 76] .text ... * 2 .text C:\Program Files (x86)\IObit\Smart Defrag 3\SmartDefrag.exe[2776] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Program Files\Elantech\ETDCtrl.exe[2068] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Users\Filip\AppData\Roaming\blueconnect\ouc.exe[2940] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Users\Filip\AppData\Local\DM\TinyDM.exe[2656] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[2596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3488] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3612] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[3996] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[3996] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000073e917fa 2 bytes JMP 00000000842ea372 .text C:\Windows\SysWOW64\PnkBstrA.exe[3996] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073e91860 2 bytes JMP 00000000842ea3d8 .text C:\Windows\SysWOW64\PnkBstrA.exe[3996] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073e91942 2 bytes JMP 000000010479a9ba .text C:\Windows\SysWOW64\PnkBstrA.exe[3996] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000073e9194d 2 bytes JMP 000000010479a9c5 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[3104] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007791ef8d 1 byte [62] .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[4928] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Windows\SysWOW64\RunDll32.exe[4528] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5304] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1444] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7160] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f01465 2 bytes [F0, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[7160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f014bb 2 bytes [F0, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[6768] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Users\Filip\Desktop\Downloads\jbn1fo1r.exe[5648] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007690a2fd 1 byte [62] .text C:\Users\Filip\Desktop\Downloads\jbn1fo1r.exe[5648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f01465 2 bytes [F0, 76] .text C:\Users\Filip\Desktop\Downloads\jbn1fo1r.exe[5648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f014bb 2 bytes [F0, 76] .text ... * 2 ---- Devices - GMER 2.1 ---- Device \Driver\MBAMWebAccessControl \Device\StreamEitor fffff880081f2324 Device \Driver\MBAMWebAccessControl \Device\StreamEitor fffff880081f2324 Device \FileSystem\MBAMSwissArmy \Device\MBAMSwissArmy fffff880081e6104 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de6a30cf Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de6a30cf@b4527ddd8dc6 0xD3 0xA9 0xCD 0x34 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 3903 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de6a30cf (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de6a30cf@b4527ddd8dc6 0xD3 0xA9 0xCD 0x34 ... ---- EOF - GMER 2.1 ----