GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-03 09:27:07 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD501LJ rev.CR100-13 465,76GB Running: glu3ry5w.exe; Driver: C:\Users\Rubo\AppData\Local\Temp\aftcqaod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff8800403ec34 12 bytes {MOV RAX, 0xfffffa80051312a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1884] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000072ca11a8 2 bytes [CA, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1884] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000072ca13a8 2 bytes [CA, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1884] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000072ca1422 2 bytes [CA, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1884] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000072ca1498 2 bytes [CA, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1884] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 195 0000000072ac1b41 2 bytes [AC, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1884] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 362 0000000072ac1be8 2 bytes [AC, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1884] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 418 0000000072ac1c20 2 bytes [AC, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1884] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 596 0000000072ac1cd2 2 bytes [AC, 72] .text C:\Program Files (x86)\Common Files\InterVideo\DeviceService\DevSvc.exe[1884] C:\Windows\SysWOW64\d3d8thk.dll!OsThunkDdWaitForVerticalBlank + 628 0000000072ac1cf2 2 bytes [AC, 72] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Users\Rubo\AppData\Local\Akamai\netsession_win.exe[2684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Users\Rubo\AppData\Local\Akamai\netsession_win.exe[2684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Users\Rubo\AppData\Local\Akamai\netsession_win.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Users\Rubo\AppData\Local\Akamai\netsession_win.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2924] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072f21a22 2 bytes [F2, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2924] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072f21ad0 2 bytes [F2, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2924] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072f21b08 2 bytes [F2, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2924] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072f21bba 2 bytes [F2, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2924] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072f21bda 2 bytes [F2, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076bd1465 2 bytes [BD, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[2924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076bd14bb 2 bytes [BD, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010ec650] \SystemRoot\System32\Drivers\spxk.sys [unknown section] IAT C:\Windows\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010ec5dc] \SystemRoot\System32\Drivers\spxk.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010b735c] \SystemRoot\System32\Drivers\spxk.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010b7224] \SystemRoot\System32\Drivers\spxk.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010b7a24] \SystemRoot\System32\Drivers\spxk.sys [unknown section] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010b7ba0] \SystemRoot\System32\Drivers\spxk.sys [unknown section] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortCopyMemory] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortCompleteRequest] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortNotification] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortQuerySystemTime] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortReadPortBufferUshort] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortInitialize] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortGetPhysicalAddress] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortStallExecution] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortReadPortUchar] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortDeviceStateChange] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortWritePortUchar] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortEtwTraceLog] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortGetUnCachedExtension] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortWritePortUlong] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortWritePortBufferUshort] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortGetDeviceBase] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortGetScatterGatherList] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortGetParentBusType] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[ataport.SYS!AtaPortRequestCallback] [?] IAT C:\Windows\System32\Drivers\afsoszvp.SYS[NTOSKRNL.exe!KeBugCheckEx] [?] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-6 fffffa80046ec2c0 Device \Driver\atapi \Device\Ide\IdePort4 fffffa80046ec2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80046ec2c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80046ec2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80046ec2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 fffffa80046ec2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80046ec2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 fffffa80046ec2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80046ec2c0 Device \Driver\afsoszvp \Device\Scsi\afsoszvp1Port6Path0Target0Lun0 fffffa80051a02c0 Device \Driver\afsoszvp \Device\Scsi\afsoszvp1 fffffa80051a02c0 Device \FileSystem\Ntfs \Ntfs fffffa80046f02c0 Device \FileSystem\fastfat \Fat fffffa800446a2c0 Device \Driver\usbehci \Device\USBFDO-7 fffffa80051422c0 Device \Driver\usbuhci \Device\USBPDO-5 fffffa80051442c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa80051422c0 Device \Driver\usbuhci \Device\USBPDO-1 fffffa80051442c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004da82c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004da82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9B549B94-F1F2-47BC-A593-3F3A72C56F2B} fffffa8004d802c0 Device \Driver\usbuhci \Device\USBPDO-6 fffffa80051442c0 Device \Driver\usbuhci \Device\USBFDO-4 fffffa80051442c0 Device \Driver\usbuhci \Device\USBFDO-0 fffffa80051442c0 Device \Driver\usbuhci \Device\USBPDO-2 fffffa80051442c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{96D7C0DE-0F2C-417C-BB5F-789B7578D17A} fffffa8004d802c0 Device \Driver\usbehci \Device\USBPDO-7 fffffa80051422c0 Device \Driver\usbuhci \Device\USBFDO-5 fffffa80051442c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa80051422c0 Device \Driver\usbuhci \Device\USBFDO-1 fffffa80051442c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80046e82c0 Device \Driver\volmgr \Device\FtControl fffffa80046e82c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80046e82c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80046e82c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80046e82c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa80046e82c0 Device \Driver\volmgr \Device\HarddiskVolume5 fffffa80046e82c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004d802c0 Device \Driver\usbuhci \Device\USBFDO-6 fffffa80051442c0 Device \Driver\usbuhci \Device\USBPDO-4 fffffa80051442c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80046ec2c0 Device \Driver\usbuhci \Device\USBFDO-2 fffffa80051442c0 Device \Driver\usbuhci \Device\USBPDO-0 fffffa80051442c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80046ec2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{35F96A97-C2F5-4833-A63F-6AD923884020} fffffa8004d802c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80046ec2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80046ec2c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80046ec2c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80046ec2c0 Device \Driver\afsoszvp \Device\ScsiPort6 fffffa80051a02c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80046ec2c0]<< spxk.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80046ec2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b02060] fffffa8004b02060 Trace 3 CLASSPNP.SYS[fffff880013b243f] -> nt!IofCallDriver -> [0xfffffa800487f520] fffffa800487f520 Trace 5 ACPI.sys[fffff8800100b781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8004866060] fffffa8004866060 Trace \Driver\atapi[0xfffffa8004833cb0] -> IRP_MJ_CREATE -> 0xfffffa80046ec2c0 fffffa80046ec2c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\afsoszvp.SYS (ATAPI IDE Miniport Driver/Microsoft Corporation SIGNED)(2009-07-13 23:19:47) fffff88004109000-fffff8800414e000 (282624 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x09 0xFF 0x8A 0xB9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x77 0x5B 0x73 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCD 0x76 0x8E 0x5F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x09 0xFF 0x8A 0xB9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x77 0x5B 0x73 0xA3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCD 0x76 0x8E 0x5F ... ---- EOF - GMER 2.1 ----