GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-18 23:56:10 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9640320AS rev.0002SDM1 596,17GB Running: 4gudmm7m.exe; Driver: C:\Users\btn\AppData\Local\Temp\uxrirpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075611401 2 bytes JMP 7541eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075611419 2 bytes JMP 7542b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075611431 2 bytes JMP 754a8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007561144a 2 bytes CALL 75401dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000756114dd 2 bytes JMP 754a7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000756114f5 2 bytes JMP 754a80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007561150d 2 bytes JMP 754a7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075611525 2 bytes JMP 754a81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007561153d 2 bytes JMP 7541f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075611555 2 bytes JMP 7542b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007561156d 2 bytes JMP 754a86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075611585 2 bytes JMP 754a8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007561159d 2 bytes JMP 754a7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000756115b5 2 bytes JMP 7541f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000756115cd 2 bytes JMP 7542b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000756116b2 2 bytes JMP 754a8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2904] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000756116bd 2 bytes JMP 754a7d4d C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001010e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001010c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001011614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001011a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800101186c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8003caa2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003caa2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003caa2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa8003caa2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa8003caa2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa8003caa2c0 Device \FileSystem\Ntfs \Ntfs fffffa8004a0d2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80052262c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004f1c2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80052262c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{EDCBCD6A-A3E2-4882-9F82-1EBB7C9246D2} fffffa80050862c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80052262c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{E0B89E9D-1601-44E6-B64F-09EDB9968670} fffffa80050862c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80050862c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003caa2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003caa2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80052262c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8003caa2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa8003caa2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003caa2c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa8003caa2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004ea2060] fffffa8004ea2060 Trace 3 CLASSPNP.SYS[fffff880013be43f] -> nt!IofCallDriver -> [0xfffffa8004bd6520] fffffa8004bd6520 Trace 5 ACPI.sys[fffff88001137781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004bc9680] fffffa8004bc9680 Trace \Driver\atapi[0xfffffa8004b7fe70] -> IRP_MJ_CREATE -> 0xfffffa8003caa2c0 fffffa8003caa2c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dce7fb9 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dce7fb9 (not active ControlSet) ---- EOF - GMER 2.1 ----