GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-22 21:24:26 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000066 ATA_____ rev.3B01 596,17GB Running: gmer.exe; Driver: C:\Users\USER\AppData\Local\Temp\aftcaaob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff96000164cb4 8 bytes [48, 94, C9, 04, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000193f00 7 bytes [00, 98, F3, FF, 01, A6, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000193f08 3 bytes [C0, 06, 02] .text ... * 109 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 404 fffff96000252a98 6 bytes {JMP QWORD [RIP+0x663fe]} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775def8d 1 byte [62] .text C:\Windows\system32\services.exe[740] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775def8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775def8d 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[356] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775def8d 1 byte [62] .text C:\Windows\System32\svchost.exe[608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775def8d 1 byte [62] .text C:\Windows\system32\svchost.exe[728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775def8d 1 byte [62] .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1120] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1748] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775def8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1824] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[2000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1400] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1400] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1972] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Windows\Explorer.EXE[2216] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775def8d 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2500] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4060] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3548] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe[3700] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files (x86)\Creative\Shared Files\Module Loader\DLLML.exe[3700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Program Files (x86)\Creative\Sound Blaster X-Fi Surround 5.1 Pro\Volume Panel\VolPanlu.exe[4000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Creative\Sound Blaster X-Fi Surround 5.1 Pro\Volume Panel\VolPanlu.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files (x86)\Creative\Sound Blaster X-Fi Surround 5.1 Pro\Volume Panel\VolPanlu.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\avastui.exe[4024] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000077388791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4024] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[3332] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files (x86)\Creative\ShareDLL\CADI\NotiMan.exe[3332] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3224] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[208] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5008] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c11465 2 bytes [C1, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5008] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c114bb 2 bytes [C1, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4716] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] .text C:\Users\USER\Desktop\gmer\gmer.exe[2392] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773aa2fd 1 byte [62] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9A 0x2F 0xD2 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9A 0x2F 0xD2 0xA2 ... ---- EOF - GMER 2.1 ----