GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-14 20:58:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.GJ00 465,76GB Running: gmhv487k.exe; Driver: C:\Users\Toshiba\AppData\Local\Temp\pwliypog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003a05000 63 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 593 fffff80003a05041 12 bytes [90, F5, 09, A0, F8, FF, FF, ...] .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88004b9fd8c 12 bytes {MOV RAX, 0xfffffa8005b972a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000776ffaa8 5 bytes JMP 00000001738519e8 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2008] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077700038 5 bytes JMP 000000017385209e .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2892] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000776f000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2892] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007777f8ea 5 bytes JMP 000000017772d5c1 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076e41465 2 bytes [E4, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076e414bb 2 bytes [E4, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff8800130b650] \SystemRoot\System32\Drivers\spqb.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff8800130b5dc] \SystemRoot\System32\Drivers\spqb.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880012d635c] \SystemRoot\System32\Drivers\spqb.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880012d6224] \SystemRoot\System32\Drivers\spqb.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880012d6a24] \SystemRoot\System32\Drivers\spqb.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880012d6ba0] \SystemRoot\System32\Drivers\spqb.sys [unknown section] IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88000e7cea4] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Devices - GMER 2.1 ---- Device \Driver\ahcfqb43 \Device\Scsi\ahcfqb431Port5Path0Target0Lun0 fffffa8005ff82c0 Device \Driver\ahcfqb43 \Device\Scsi\ahcfqb431 fffffa8005ff82c0 Device \FileSystem\Ntfs \Ntfs fffffa800487f2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8005ba92c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{68733E37-B9DF-46DB-9837-DD074CE56E47} fffffa8004d1f2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80062812c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2C6A5797-5837-4935-B5D5-EF04D32BD02B} fffffa8004d1f2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8005ba92c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{39B48F4C-9840-4ABD-B3DF-5E40EECC12E2} fffffa8004d1f2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8005ba92c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80048732c0 Device \Driver\volmgr \Device\FtControl fffffa80048732c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80048732c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80048732c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{C3D29594-1513-46B8-BBC5-9A8358AA866A} fffffa8004d1f2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004d1f2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8005ba92c0 Device \Driver\ahcfqb43 \Device\ScsiPort5 fffffa8005ff82c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\ahcfqb43.SYS fffff88006c00000-fffff88006c45000 (282624 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3740:4884] 000007fef1a59688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4508:4744] 000007fefb722a7c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b62eff1a Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fef8c13d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fef8c13d@78471db79c9e 0xEA 0xC3 0xBC 0x49 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fef8c13d@0025e7a62a87 0x01 0xBC 0xBA 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fef8c13d@00037aa80a75 0x6D 0x57 0x2F 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fef8c13d@1c4bd60c38b0 0x7B 0x3A 0xA4 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fef8c13d@a0f450411ac1 0x49 0xA0 0x35 0xCC ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 23797 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 14674 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x40 0xCF 0xB8 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x72 0xC0 0xC8 0x39 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x90 0x99 0xC0 0x78 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{39B48F4C-9840-4ABD-B3DF-5E40EECC12E2}@LeaseObtainedTime 1387028933 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{39B48F4C-9840-4ABD-B3DF-5E40EECC12E2}@T1 1387072133 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{39B48F4C-9840-4ABD-B3DF-5E40EECC12E2}@T2 1387104533 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{39B48F4C-9840-4ABD-B3DF-5E40EECC12E2}@LeaseTerminatesTime 1387115333 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b62eff1a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fef8c13d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fef8c13d@78471db79c9e 0xEA 0xC3 0xBC 0x49 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fef8c13d@0025e7a62a87 0x01 0xBC 0xBA 0x3E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fef8c13d@00037aa80a75 0x6D 0x57 0x2F 0x12 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fef8c13d@1c4bd60c38b0 0x7B 0x3A 0xA4 0x5F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fef8c13d@a0f450411ac1 0x49 0xA0 0x35 0xCC ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x40 0xCF 0xB8 0x27 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x72 0xC0 0xC8 0x39 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x90 0x99 0xC0 0x78 ... ---- EOF - GMER 2.1 ----