GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-05 13:22:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GJ00 465,76GB Running: d09j2b9v.exe; Driver: C:\Users\Sofia\AppData\Local\Temp\fwddykob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff800033b2000 93 bytes [89, 6C, 24, 70, E9, 4B, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 638 fffff800033b205e 57 bytes [05, 05, 20, 1B, 00, 49, 8D, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000143f00 7 bytes [40, 9D, F3, FF, 01, AB, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000143f08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1944] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076fe1465 2 bytes [FE, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1944] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076fe14bb 2 bytes [FE, 76] .text ... * 2 .text C:\Windows\system32\Dwm.exe[2572] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc202db0 5 bytes JMP 000007fffc1f0180 .text C:\Windows\system32\Dwm.exe[2572] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc2037d0 7 bytes JMP 000007fffc1f00d8 .text C:\Windows\system32\Dwm.exe[2572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc208ef0 6 bytes JMP 000007fffc1f0148 .text C:\Windows\system32\Dwm.exe[2572] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc21af60 5 bytes JMP 000007fffc1f0110 .text C:\Windows\system32\Dwm.exe[2572] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe2489e0 8 bytes JMP 000007fffc1f01f0 .text C:\Windows\system32\Dwm.exe[2572] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe24be40 8 bytes JMP 000007fffc1f01b8 .text C:\Windows\system32\Dwm.exe[2572] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef299dc88 5 bytes JMP 000007fff27900d8 .text C:\Windows\system32\Dwm.exe[2572] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef299de10 5 bytes JMP 000007fff2790110 .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefc202db0 5 bytes JMP 000007fffc1f0180 .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefc2037d0 7 bytes JMP 000007fffc1f00d8 .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefc208ef0 6 bytes JMP 000007fffc1f0148 .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefc21af60 5 bytes JMP 000007fffc1f0110 .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefe2489e0 8 bytes JMP 000007fffc1f01f0 .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefe24be40 8 bytes JMP 000007fffc1f01b8 .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefc9b7490 11 bytes JMP 000007fffc1f0228 .text C:\Windows\system32\taskeng.exe[2940] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefc9cbf00 7 bytes JMP 000007fffc1f0260 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3020] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000763d13e1 7 bytes JMP 0000000173db12ad .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3020] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 00000000763eb1d3 5 bytes JMP 0000000173db15be .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3020] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000764688b4 7 bytes JMP 0000000173db1357 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3020] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076468939 5 bytes JMP 0000000173db16e0 .text C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe[3020] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076468c8f 5 bytes JMP 0000000173db1028 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076fe1465 2 bytes [FE, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076fe14bb 2 bytes [FE, 76] .text ... * 2 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000763d13e1 7 bytes JMP 0000000173db12ad .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 00000000763eb1d3 5 bytes JMP 0000000173db15be .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000764688b4 7 bytes JMP 0000000173db1357 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000076468939 5 bytes JMP 0000000173db16e0 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000076468c8f 5 bytes JMP 0000000173db1028 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075411d1b 5 bytes JMP 0000000173db11ef .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075411dc9 5 bytes JMP 0000000173db1023 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075412aa4 5 bytes JMP 0000000173db156e .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075412d0a 5 bytes JMP 0000000173db1294 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007651e9a2 5 bytes JMP 0000000173db15d7 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007651ebdc 5 bytes JMP 0000000173db11b8 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076a58a29 5 bytes JMP 0000000173db1050 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076a64572 5 bytes JMP 0000000173db10d2 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075085ea5 5 bytes JMP 0000000173db1609 .text C:\Users\Sofia\Downloads\d09j2b9v.exe[2404] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000750b9d0b 5 bytes JMP 0000000173db1249 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde7e03d1 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde7e03d1@bc4760cbb4f0 0xBC 0xFE 0x19 0xEB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde7e03d1@b8f93401bbdd 0x93 0xE5 0x35 0x13 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde7e03d1@8425dbb319e4 0x59 0x2C 0xCA 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e839df56bc03 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x29 0x1F 0xED 0x8E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x44 0xDC 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6D 0x0B 0x7E 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x32 0x24 0x57 0xFA ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde7e03d1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde7e03d1@bc4760cbb4f0 0xBC 0xFE 0x19 0xEB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde7e03d1@b8f93401bbdd 0x93 0xE5 0x35 0x13 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde7e03d1@8425dbb319e4 0x59 0x2C 0xCA 0xF7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e839df56bc03 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x29 0x1F 0xED 0x8E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x44 0xDC 0x1C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6D 0x0B 0x7E 0x66 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x32 0x24 0x57 0xFA ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----