GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-17 15:58:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-4 WDC_WD800JD-00LSA0 rev.06.01D06 74,53GB Running: vk4kucc1.exe; Driver: C:\Users\win7\AppData\Local\Temp\aftcyaod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff960000d5b30 8 bytes [78, A5, F0, 03, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000105600 7 bytes [00, 63, F3, FF, 41, 71, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000105608 3 bytes [C0, 06, 02] .text ... * 106 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 468 fffff960001cd8c8 6 bytes {JMP QWORD [RIP-0xbc916]} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1828] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075f18781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001092e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001092c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001093654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001093a50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010938ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa80036a02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-4 fffffa80036a02c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80036a02c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80036a02c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80036a02c0 Device \FileSystem\Ntfs \Ntfs fffffa80036a42c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa8004bc42c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa8004b242c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa8004b242c0 Device \Driver\usbohci \Device\USBPDO-6 fffffa8004b242c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa8004b242c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004b242c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa8004bc42c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004b242c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa8004bc42c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa8004b242c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa8004b242c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{15210E97-0B8D-4637-8A6F-1DAD74EEBA5B} fffffa80047fd2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80047fd2c0 Device \Driver\usbohci \Device\USBFDO-6 fffffa8004b242c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa8004b242c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8004bc42c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80036a02c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004b242c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80036a02c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80036a02c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80036a02c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80036a02c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80036a02c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80047e4060] fffffa80047e4060 Trace 3 CLASSPNP.SYS[fffff880019c843f] -> nt!IofCallDriver -> [0xfffffa8004533d10] fffffa8004533d10 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-4[0xfffffa80036f0680] fffffa80036f0680 Trace \Driver\atapi[0xfffffa800450fcb0] -> IRP_MJ_CREATE -> 0xfffffa80036a02c0 fffffa80036a02c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1044:3848] 000007fef22f0184 Thread C:\Windows\system32\svchost.exe [1044:3780] 000007fef22ef9c8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x38 0xAA 0xA0 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFC 0xCB 0x31 0x14 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x38 0xAA 0xA0 0xFB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFC 0xCB 0x31 0x14 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ ---- EOF - GMER 2.1 ----