GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-10 19:06:37 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\0000006d ST1000DM rev.CC47 931,51GB Running: kjp87yqx.exe; Driver: C:\Users\Wojo\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076f21401 2 bytes JMP 7719eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076f21419 2 bytes JMP 771ab513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076f21431 2 bytes JMP 77228609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076f2144a 2 bytes CALL 77181dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076f214dd 2 bytes JMP 77227efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076f214f5 2 bytes JMP 772280d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076f2150d 2 bytes JMP 77227df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076f21525 2 bytes JMP 772281c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076f2153d 2 bytes JMP 7719f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076f21555 2 bytes JMP 771ab885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076f2156d 2 bytes JMP 772286c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076f21585 2 bytes JMP 77228222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076f2159d 2 bytes JMP 77227db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076f215b5 2 bytes JMP 7719f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076f215cd 2 bytes JMP 771ab29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076f216b2 2 bytes JMP 77228584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1296] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076f216bd 2 bytes JMP 77227d4d C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001057e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001057c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001058614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001058a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800105886c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80066b52c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800a6622c0 Device \Driver\iaStorA \Device\RaidPort0 fffffa80066b12c0 Device \Driver\cdrom \Device\CdRom0 fffffa800a3642c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{584419AE-FA84-493C-ABFF-EE8079264AC8} fffffa800a3ef2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{DB7AE730-ACEC-4C85-8E0C-7FE5028C62A4} fffffa800a3ef2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800a6622c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800a6622c0 Device \Driver\iaStorA \Device\0000006d fffffa80066b12c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800a3ef2c0 Device \Driver\iaStorA \Device\ScsiPort0 fffffa80066b12c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800a6622c0 Device \Driver\iaStorA \Device\0000006e fffffa80066b12c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorF.sys >>UNKNOWN [0xfffffa80066b12c0]<< sptd.sys storport.sys hal.dll iaStorA.sys fffffa80066b12c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009a80060] fffffa8009a80060 Trace 3 CLASSPNP.SYS[fffff8800185c43f] -> nt!IofCallDriver -> [0xfffffa80076859a0] fffffa80076859a0 Trace 5 iaStorF.sys[fffff88001801a84] -> nt!IofCallDriver -> \Device\0000006d[0xfffffa80075813d0] fffffa80075813d0 Trace \Driver\iaStorA[0xfffffa8007547640] -> IRP_MJ_CREATE -> 0xfffffa80066b12c0 fffffa80066b12c0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3344:2280] 000007fefb542a74 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3344:3216] 000007fef12ddc08 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5A08E8B5-3F00-4588-A4C9-2D26F6483DC3}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3408] (Microsoft Malware Protection Engine/Microsoft Corporation)(2015-02-21 11:51:40) 000007feefb70000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x76 0x2D 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0B 0xF8 0x10 0xC9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9F 0x76 0x2D 0x93 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0B 0xF8 0x10 0xC9 ... ---- EOF - GMER 2.1 ----