GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-30 00:59:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.AX00 298,09GB Running: 9jrsmv0f.exe; Driver: C:\Users\samsung\AppData\Local\Temp\pgeiqkob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\System32\win32k.sys!W32pServiceTable fffff96000164c00 7 bytes [00, 93, F3, FF, 41, A4, F0] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000164c08 3 bytes [00, 07, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074db1401 2 bytes JMP 750bb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074db1419 2 bytes JMP 750bb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074db1431 2 bytes JMP 75138ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074db144a 2 bytes CALL 750948ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074db14dd 2 bytes JMP 751387a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074db14f5 2 bytes JMP 75138978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074db150d 2 bytes JMP 75138698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074db1525 2 bytes JMP 75138a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074db153d 2 bytes JMP 750afca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074db1555 2 bytes JMP 750b68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074db156d 2 bytes JMP 75138f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074db1585 2 bytes JMP 75138ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074db159d 2 bytes JMP 7513865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074db15b5 2 bytes JMP 750afd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074db15cd 2 bytes JMP 750bb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074db16b2 2 bytes JMP 75138e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1036] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074db16bd 2 bytes JMP 751385f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074db1401 2 bytes JMP 750bb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074db1419 2 bytes JMP 750bb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074db1431 2 bytes JMP 75138ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074db144a 2 bytes CALL 750948ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074db14dd 2 bytes JMP 751387a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074db14f5 2 bytes JMP 75138978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074db150d 2 bytes JMP 75138698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074db1525 2 bytes JMP 75138a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074db153d 2 bytes JMP 750afca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074db1555 2 bytes JMP 750b68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074db156d 2 bytes JMP 75138f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074db1585 2 bytes JMP 75138ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074db159d 2 bytes JMP 7513865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074db15b5 2 bytes JMP 750afd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074db15cd 2 bytes JMP 750bb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074db16b2 2 bytes JMP 75138e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2976] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074db16bd 2 bytes JMP 751385f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074db1401 2 bytes JMP 750bb21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074db1419 2 bytes JMP 750bb346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074db1431 2 bytes JMP 75138ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074db144a 2 bytes CALL 750948ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074db14dd 2 bytes JMP 751387a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074db14f5 2 bytes JMP 75138978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074db150d 2 bytes JMP 75138698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074db1525 2 bytes JMP 75138a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074db153d 2 bytes JMP 750afca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074db1555 2 bytes JMP 750b68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074db156d 2 bytes JMP 75138f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074db1585 2 bytes JMP 75138ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074db159d 2 bytes JMP 7513865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074db15b5 2 bytes JMP 750afd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074db15cd 2 bytes JMP 750bb2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074db16b2 2 bytes JMP 75138e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[2172] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074db16bd 2 bytes JMP 751385f1 C:\windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\50b7c31a6726 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\50b7c31a6726@184617cd671b 0x1D 0xBF 0x58 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\50b7c31a6726@0018a4b93f73 0xDB 0x96 0x7D 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\50b7c31a6726@0025473c57d0 0x19 0x90 0x52 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\50b7c31a6726@a47760c5fe23 0x78 0x3B 0xF5 0x86 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\50b7c31a6726@329246657230 0x9B 0x77 0xDF 0x11 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e81132ed2537 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{B11C37E1-E419-4699-85FD-CB46D11E1D4C}@LeaseObtainedTime 1427663024 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{B11C37E1-E419-4699-85FD-CB46D11E1D4C}@T1 1427706224 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{B11C37E1-E419-4699-85FD-CB46D11E1D4C}@T2 1427738624 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{B11C37E1-E419-4699-85FD-CB46D11E1D4C}@LeaseTerminatesTime 1427749424 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\50b7c31a6726 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\50b7c31a6726@184617cd671b 0x1D 0xBF 0x58 0xAC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\50b7c31a6726@0018a4b93f73 0xDB 0x96 0x7D 0xBF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\50b7c31a6726@0025473c57d0 0x19 0x90 0x52 0x0B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\50b7c31a6726@a47760c5fe23 0x78 0x3B 0xF5 0x86 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\50b7c31a6726@329246657230 0x9B 0x77 0xDF 0x11 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e81132ed2537 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----