GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-16 23:42:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK5061GSYN rev.MH000C 465,76GB Running: f0uwh20l.exe; Driver: C:\Users\JUSTYN~1\AppData\Local\Temp\fxlyruob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004fc0d8c 12 bytes {MOV RAX, 0xfffffa80052e52a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750b1465 2 bytes [0B, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750b14bb 2 bytes [0B, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750b1465 2 bytes [0B, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[2688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750b14bb 2 bytes [0B, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750b1465 2 bytes [0B, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5004] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750b14bb 2 bytes [0B, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750b1465 2 bytes [0B, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750b14bb 2 bytes [0B, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff88001099650] \SystemRoot\System32\Drivers\spbj.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010995dc] \SystemRoot\System32\Drivers\spbj.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800106435c] \SystemRoot\System32\Drivers\spbj.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001064224] \SystemRoot\System32\Drivers\spbj.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001064a24] \SystemRoot\System32\Drivers\spbj.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001064ba0] \SystemRoot\System32\Drivers\spbj.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80049e82c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80049e82c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80049e82c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80049e82c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80049e82c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80049e82c0 Device \Driver\JMCR \Device\Scsi\JMCR1 fffffa80054242c0 Device \Driver\JMCR \Device\Scsi\JMCR2 fffffa80054242c0 Device \Driver\JMCR \Device\Scsi\JMCR3 fffffa80054242c0 Device \Driver\JMCR \Device\Scsi\JMCR4 fffffa80054242c0 Device \FileSystem\Ntfs \Ntfs fffffa8004a1e2c0 Device \Driver\JMCR \Device\ScsiPort7 fffffa80054242c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa80053c82c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa80053a92c0 Device \Driver\usbuhci \Device\USBFDO-3 fffffa80053a92c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80053a92c0 Device \Driver\cdrom \Device\CdRom0 fffffa80052122c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa80053a92c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa80053a92c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80053a92c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa80053c82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{40435508-CFF0-4988-A100-14F1BBDCFB01} fffffa800524b2c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa80053c82c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa80053a92c0 Device \Driver\usbuhci \Device\USBPDO-3 fffffa80053a92c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80053a92c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80049e22c0 Device \Driver\volmgr \Device\FtControl fffffa80049e22c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80049e22c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80049e22c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80049e22c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800524b2c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa80053a92c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa80053a92c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80049e82c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa80053c82c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80053a92c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80049e82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{300175DB-3C0B-4684-926B-794F3668AF10} fffffa800524b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{EE50B87A-76C2-41F1-B23E-0B9CACE4443B} fffffa800524b2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80049e82c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80049e82c0 Device \Driver\JMCR \Device\ScsiPort4 fffffa80054242c0 Device \Driver\JMCR \Device\ScsiPort5 fffffa80054242c0 Device \Driver\JMCR \Device\ScsiPort6 fffffa80054242c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ACPI.sys >>UNKNOWN [0xfffffa80049e82c0]<< spbj.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80049e82c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d57060] fffffa8004d57060 Trace 3 CLASSPNP.SYS[fffff88000c7f43f] -> nt!IofCallDriver -> [0xfffffa8004d56040] fffffa8004d56040 Trace 5 hpdskflt.sys[fffff88001c2e289] -> nt!IofCallDriver -> [0xfffffa8004be6510] fffffa8004be6510 Trace 7 ACPI.sys[fffff880011a07a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004bb51f0] fffffa8004bb51f0 Trace \Driver\atapi[0xfffffa8004b08550] -> IRP_MJ_CREATE -> 0xfffffa80049e82c0 fffffa80049e82c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{8575EB7C-643B-489F-B01A-4ACC9A5ED9CC}\Connection@Name Po??czenie lokalne* 19 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{32547D74-F64D-48FA-BEDA-060A62AE0934}?\Device\{8575EB7C-643B-489F-B01A-4ACC9A5ED9CC}?\Device\{A9CD2946-8D23-4E30-9348-CD29D2833AD8}?\Device\{763EBEF6-3E12-4339-8F8C-C43C03E00E66}?\Device\{E9292ADB-F600-4F62-9299-470D5288476B}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{32547D74-F64D-48FA-BEDA-060A62AE0934}"?"{8575EB7C-643B-489F-B01A-4ACC9A5ED9CC}"?"{A9CD2946-8D23-4E30-9348-CD29D2833AD8}"?"{763EBEF6-3E12-4339-8F8C-C43C03E00E66}"?"{E9292ADB-F600-4F62-9299-470D5288476B}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{32547D74-F64D-48FA-BEDA-060A62AE0934}?\Device\TCPIP6TUNNEL_{8575EB7C-643B-489F-B01A-4ACC9A5ED9CC}?\Device\TCPIP6TUNNEL_{A9CD2946-8D23-4E30-9348-CD29D2833AD8}?\Device\TCPIP6TUNNEL_{763EBEF6-3E12-4339-8F8C-C43C03E00E66}?\Device\TCPIP6TUNNEL_{E9292ADB-F600-4F62-9299-470D5288476B}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027132e955f Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{8575EB7C-643B-489F-B01A-4ACC9A5ED9CC}@InterfaceName isatap.{EE50B87A-76C2-41F1-B23E-0B9CACE4443B} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{8575EB7C-643B-489F-B01A-4ACC9A5ED9CC}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x26 0x68 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{300175DB-3C0B-4684-926B-794F3668AF10}@LeaseObtainedTime 1416171500 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{300175DB-3C0B-4684-926B-794F3668AF10}@T1 1416175100 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{300175DB-3C0B-4684-926B-794F3668AF10}@T2 1416177800 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{300175DB-3C0B-4684-926B-794F3668AF10}@LeaseTerminatesTime 1416178700 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027132e955f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x26 0x68 0x17 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----