GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-02 23:04:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950042 rev.0001 465,76GB Running: 7upjvu4d.exe; Driver: C:\Users\Ola\AppData\Local\Temp\uxriqpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\system32\drivers\USBPORT.SYS!DllUnload fffff8800706edac 12 bytes {MOV RAX, 0xfffffa800792e2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Avast\avastui.exe[7800] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076628791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076951401 2 bytes JMP 7664b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076951419 2 bytes JMP 7664b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076951431 2 bytes JMP 766c8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007695144a 2 bytes CALL 766248ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769514dd 2 bytes JMP 766c87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769514f5 2 bytes JMP 766c8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007695150d 2 bytes JMP 766c8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076951525 2 bytes JMP 766c8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007695153d 2 bytes JMP 7663fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076951555 2 bytes JMP 766468ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007695156d 2 bytes JMP 766c8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076951585 2 bytes JMP 766c8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007695159d 2 bytes JMP 766c865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769515b5 2 bytes JMP 7663fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769515cd 2 bytes JMP 7664b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769516b2 2 bytes JMP 766c8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iTunes\iTunes.exe[5928] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769516bd 2 bytes JMP 766c85f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076951401 2 bytes JMP 7664b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076951419 2 bytes JMP 7664b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076951431 2 bytes JMP 766c8ea9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007695144a 2 bytes CALL 766248ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000769514dd 2 bytes JMP 766c87a2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000769514f5 2 bytes JMP 766c8978 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007695150d 2 bytes JMP 766c8698 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076951525 2 bytes JMP 766c8a62 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007695153d 2 bytes JMP 7663fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076951555 2 bytes JMP 766468ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007695156d 2 bytes JMP 766c8f61 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076951585 2 bytes JMP 766c8ac2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007695159d 2 bytes JMP 766c865c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000769515b5 2 bytes JMP 7663fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000769515cd 2 bytes JMP 7664b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000769516b2 2 bytes JMP 766c8e24 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Last.fm\Last.fm\Last.fm Scrobbler.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000769516bd 2 bytes JMP 766c85f1 C:\windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010a3ed8] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010a3c7c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010a4658] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010a4a54] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010a48b0] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80042e52c0 Device \FileSystem\fastfat \Fat fffffa800bbbe2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{8397D2BA-0B05-4536-8BBC-F571C82A4284} fffffa8006a582c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{21407BA0-095B-41A3-907E-168ABAD62C30} fffffa8006a582c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800792c2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800688c2c0 Device \Driver\cdrom \Device\CdRom1 fffffa800688c2c0 Device \Driver\cdrom \Device\CdRom2 fffffa800688c2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800792c2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D24CCAC6-6D3C-4879-BA48-E28ECE2D0C44} fffffa8006a582c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa80068722c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{94A77170-A62A-42C7-8639-E90AC14676F7} fffffa8006a582c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{28DC0D39-C304-4A10-ACED-AF2A2FAF9B05} fffffa8006a582c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800792c2c0 Device \Driver\dtsoftbus01 \Device\00000072 fffffa80068722c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8006a582c0 Device \Driver\dtsoftbus01 \Device\00000073 fffffa80068722c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800792c2c0 ---- Threads - GMER 2.1 ---- Thread [4412:7348] 000000007359d690 Thread [4412:5504] 0000000077c43e85 Thread [4412:7588] 0000000077c42e65 Thread [4412:4808] 0000000077c43e85 Thread [4412:6248] 0000000073bdf28e Thread [4412:1376] 0000000076df7587 Thread [4412:3008] 0000000073bdf28e Thread [4412:1272] 0000000073034c50 Thread [4412:1264] 0000000073033e90 Thread [4412:3004] 0000000073bdf28e Thread [4412:1052] 0000000073c24de8 Thread [4412:1088] 000000007676d864 Thread [4412:1092] 000000007676d864 Thread [4412:1196] 00000000730196c0 Thread [4412:1240] 00000000730196c0 Thread [4412:1452] 00000000730196c0 Thread [4412:592] 00000000730196c0 Thread [4412:588] 00000000730196c0 Thread [4412:3052] 00000000730196c0 Thread [4412:2980] 00000000730196c0 Thread [4412:2984] 00000000730196c0 Thread [4412:2976] 00000000730196c0 Thread [4412:2972] 00000000730196c0 Thread [4412:2968] 000000007301a740 Thread [4412:2916] 000000007301a740 Thread [4412:4980] 0000000073019c10 Thread [4412:5096] 000000007307a630 Thread [4412:4472] 0000000073079400 Thread [4412:5348] 0000000073079830 Thread [4412:5360] 000000007301cb70 Thread [4412:3484] 000000007301cb70 Thread [4412:3380] 000000007301cb70 Thread [4412:3376] 000000007301cb70 Thread [4412:5224] 000000007301cb70 Thread [4412:5220] 000000007301cb70 Thread [4412:5228] 000000007301cb70 Thread [4412:5988] 000000007301cb70 Thread [4412:3960] 000000007301cb70 Thread [4412:3504] 000000007301cb70 Thread [4412:7352] 000000007301c870 Thread [4412:5376] 0000000074231080 Thread [4412:5380] 00000000731f1c00 Thread [4412:2188] 00000000731f6be0 Thread [4412:196] 00000000731f6be0 Thread [4412:6300] 0000000073035d00 Thread [4412:4820] 000000007301bfc0 Thread [4412:5144] 000000006eb116d0 Thread [4412:5340] 0000000073bdf28e Thread [4412:5308] 0000000070a152c9 Thread [4412:5456] 000000007309bbb0 Thread [4412:5304] 0000000072da8d10 Thread [4412:5416] 00000000742316d0 Thread [4412:5332] 0000000071bbad70 Thread [4412:7556] 0000000073bdf28e Thread [4412:7600] 0000000073bdf28e Thread [4412:3512] 0000000073bdf28e Thread [4412:3852] 0000000073bdf28e Thread [4412:7320] 0000000073bdf28e Thread [4412:7324] 0000000073bdf28e Thread [4412:6568] 000000006ea55e40 Thread [4412:6584] 000000006ea55e40 Thread [4412:6516] 000000006ea55e40 Thread [4412:6592] 000000006ea55e40 Thread [4412:6596] 000000006ea55e40 Thread [4412:6548] 000000006ea55e40 Thread [4412:2500] 0000000073bdf28e Thread [4412:4588] 00000000747cf580 Thread [4412:6180] 00000000747d2500 Thread [4412:6992] 0000000073bdf28e Thread [4412:6188] 0000000073bdf28e Thread [4412:2400] 0000000073bdf28e Thread [4412:6024] 0000000073bdf28e Thread [4412:4672] 0000000073bdf28e Thread [4412:2368] 0000000073bdf28e Thread [4412:4552] 0000000073bdf28e Thread [4412:4124] 0000000073bdf28e Thread [4412:4048] 0000000073bdf28e Thread [4412:4948] 0000000077c43e85 Thread [4412:6852] 00000000750c7311 Thread [4412:2428] 0000000077c43e85 Thread [4412:4684] 00000000764b82cd Thread [4412:6104] 0000000077c43e85 Thread [4412:7364] 00000000726c62ee ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{729BA39C-EAF4-49A4-ACFB-14D9262E1827}\Connection@Name isatap.{8397D2BA-0B05-4536-8BBC-F571C82A4284} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{7D3A3683-AFD0-49D1-ADE0-62B02022E0E4}?\Device\{CFEF64A2-B6EF-4964-84CA-FF3769B6CC64}?\Device\{209A8B51-09D6-4573-AD1E-B63006B063EE}?\Device\{729BA39C-EAF4-49A4-ACFB-14D9262E1827}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{7D3A3683-AFD0-49D1-ADE0-62B02022E0E4}"?"{CFEF64A2-B6EF-4964-84CA-FF3769B6CC64}"?"{209A8B51-09D6-4573-AD1E-B63006B063EE}"?"{729BA39C-EAF4-49A4-ACFB-14D9262E1827}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{7D3A3683-AFD0-49D1-ADE0-62B02022E0E4}?\Device\TCPIP6TUNNEL_{CFEF64A2-B6EF-4964-84CA-FF3769B6CC64}?\Device\TCPIP6TUNNEL_{209A8B51-09D6-4573-AD1E-B63006B063EE}?\Device\TCPIP6TUNNEL_{729BA39C-EAF4-49A4-ACFB-14D9262E1827}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015007f6c3b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289cb5371 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ac7289cb5371@b462939609a4 0x30 0xD3 0xE1 0xCC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\bc7737048afc Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{729BA39C-EAF4-49A4-ACFB-14D9262E1827}@InterfaceName isatap.{8397D2BA-0B05-4536-8BBC-F571C82A4284} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{729BA39C-EAF4-49A4-ACFB-14D9262E1827}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Users\Ola\Desktop\Nowy folder\Deamon Tools\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015007f6c3b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289cb5371 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ac7289cb5371@b462939609a4 0x30 0xD3 0xE1 0xCC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\bc7737048afc (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Users\Ola\Desktop\Nowy folder\Deamon Tools\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 ---- EOF - GMER 2.1 ----