GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-31 08:13:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HGST_HTS721010A9E630 rev.JB0OA3J0 931,51GB Running: o3siyjjx.exe; Driver: C:\Users\cisu\AppData\Local\Temp\aftcaaog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004428d8c 12 bytes {MOV RAX, 0xfffffa80039ee2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000077e31401 2 bytes JMP 778fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000077e31419 2 bytes JMP 778fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000077e31431 2 bytes JMP 77978fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000077e3144a 2 bytes CALL 778d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000077e314dd 2 bytes JMP 779788c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000077e314f5 2 bytes JMP 77978aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000077e3150d 2 bytes JMP 779787ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077e31525 2 bytes JMP 77978b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000077e3153d 2 bytes JMP 778efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000077e31555 2 bytes JMP 778f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000077e3156d 2 bytes JMP 77979089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000077e31585 2 bytes JMP 77978bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000077e3159d 2 bytes JMP 7797877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000077e315b5 2 bytes JMP 778efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000077e315cd 2 bytes JMP 778fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000077e316b2 2 bytes JMP 77978f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1928] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000077e316bd 2 bytes JMP 77978713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077e31401 2 bytes JMP 778fb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077e31419 2 bytes JMP 778fb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077e31431 2 bytes JMP 77978fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077e3144a 2 bytes CALL 778d489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077e314dd 2 bytes JMP 779788c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077e314f5 2 bytes JMP 77978aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077e3150d 2 bytes JMP 779787ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077e31525 2 bytes JMP 77978b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077e3153d 2 bytes JMP 778efca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077e31555 2 bytes JMP 778f68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077e3156d 2 bytes JMP 77979089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077e31585 2 bytes JMP 77978bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077e3159d 2 bytes JMP 7797877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077e315b5 2 bytes JMP 778efd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077e315cd 2 bytes JMP 778fb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077e316b2 2 bytes JMP 77978f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\OpenOffice.org 2.4\program\soffice.BIN[3568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077e316bd 2 bytes JMP 77978713 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800103df1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800103dcc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800103e69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800103ea98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800103e8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80023b92c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80023b92c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80023b92c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80023b92c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80023b92c0 Device \FileSystem\Ntfs \Ntfs fffffa80030c92c0 Device \FileSystem\fastfat \Fat fffffa800482f2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8003a2f2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800367f2c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8003a2f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{6C9353E0-0BA8-4F6F-A534-2F3648AC1BAF} fffffa80036dd2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8003a2f2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80036dd2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80023b92c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8003a2f2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80023b92c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80023b92c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{535419F0-9005-41C7-89DD-4437E132D30F} fffffa80036dd2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80023b92c0]<< sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80023b92c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003471060] fffffa8003471060 Trace 3 CLASSPNP.SYS[fffff88001a5143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80031e1680] fffffa80031e1680 Trace \Driver\atapi[0xfffffa80031b8cf0] -> IRP_MJ_CREATE -> 0xfffffa80023b92c0 fffffa80023b92c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6d7fd80 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x29 0xC2 0x7B 0xB5 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6d7fd80 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x29 0xC2 0x7B 0xB5 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x56 0x45 0x63 0x84 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x90 0x38 0xA6 0x45 ... ---- EOF - GMER 2.1 ----