GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-08 17:57:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000LM024_HN-M101MBB rev.2AR20002 931,51GB Running: 3phdf2co.exe; Driver: C:\Users\PITLEN~1\AppData\Local\Temp\uxtiiuod.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000077191401 2 bytes JMP 7720b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000077191419 2 bytes JMP 7720b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000077191431 2 bytes JMP 77289149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007719144a 2 bytes CALL 771e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000771914dd 2 bytes JMP 77288a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000771914f5 2 bytes JMP 77288c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007719150d 2 bytes JMP 77288938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077191525 2 bytes JMP 77288d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007719153d 2 bytes JMP 771ffcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000077191555 2 bytes JMP 77206907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007719156d 2 bytes JMP 77289201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000077191585 2 bytes JMP 77288d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007719159d 2 bytes JMP 772888fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000771915b5 2 bytes JMP 771ffd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000771915cd 2 bytes JMP 7720b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000771916b2 2 bytes JMP 772890c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1948] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000771916bd 2 bytes JMP 77288891 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17 0000000077191401 2 bytes JMP 7720b233 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17 0000000077191419 2 bytes JMP 7720b35e C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17 0000000077191431 2 bytes JMP 77289149 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42 000000007719144a 2 bytes CALL 771e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17 00000000771914dd 2 bytes JMP 77288a42 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17 00000000771914f5 2 bytes JMP 77288c18 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17 000000007719150d 2 bytes JMP 77288938 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17 0000000077191525 2 bytes JMP 77288d02 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17 000000007719153d 2 bytes JMP 771ffcc0 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17 0000000077191555 2 bytes JMP 77206907 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17 000000007719156d 2 bytes JMP 77289201 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17 0000000077191585 2 bytes JMP 77288d62 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17 000000007719159d 2 bytes JMP 772888fc C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17 00000000771915b5 2 bytes JMP 771ffd59 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17 00000000771915cd 2 bytes JMP 7720b2f4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20 00000000771916b2 2 bytes JMP 772890c4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe[2244] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31 00000000771916bd 2 bytes JMP 77288891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077191401 2 bytes JMP 7720b233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077191419 2 bytes JMP 7720b35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077191431 2 bytes JMP 77289149 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007719144a 2 bytes CALL 771e4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771914dd 2 bytes JMP 77288a42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771914f5 2 bytes JMP 77288c18 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007719150d 2 bytes JMP 77288938 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077191525 2 bytes JMP 77288d02 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007719153d 2 bytes JMP 771ffcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077191555 2 bytes JMP 77206907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007719156d 2 bytes JMP 77289201 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077191585 2 bytes JMP 77288d62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007719159d 2 bytes JMP 772888fc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771915b5 2 bytes JMP 771ffd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771915cd 2 bytes JMP 7720b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771916b2 2 bytes JMP 772890c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771916bd 2 bytes JMP 77288891 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c3e84dc7406 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c3e84dc7406@48c1acc5cbc1 0x3E 0x94 0x6B 0x13 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c3e84dc7406@30766fcf663a 0xCC 0xF2 0x8E 0xDE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c3e84dc7406@980d2ee6a8b4 0xC9 0x83 0x4B 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c3e84dc7406@d0dfc7eaa6cb 0xDC 0x5F 0x5A 0x4B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c3e84dc7406@c44619b0c955 0x4A 0xEC 0xEF 0xC8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c3e84dc7406@38ece4aeeb20 0xE5 0x1B 0x84 0x28 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c3e84dc7406 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c3e84dc7406@48c1acc5cbc1 0x3E 0x94 0x6B 0x13 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c3e84dc7406@30766fcf663a 0xCC 0xF2 0x8E 0xDE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c3e84dc7406@980d2ee6a8b4 0xC9 0x83 0x4B 0xD6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c3e84dc7406@d0dfc7eaa6cb 0xDC 0x5F 0x5A 0x4B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c3e84dc7406@c44619b0c955 0x4A 0xEC 0xEF 0xC8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c3e84dc7406@38ece4aeeb20 0xE5 0x1B 0x84 0x28 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----