GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-31 23:22:26 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HGST_HTS545050A7E680 rev.GR2OA230 465,76GB Running: 899fijmx.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000757d1401 2 bytes JMP 766cb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000757d1419 2 bytes JMP 766cb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000757d1431 2 bytes JMP 767490f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000757d144a 2 bytes CALL 766a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757d14dd 2 bytes JMP 767489ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757d14f5 2 bytes JMP 76748bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000757d150d 2 bytes JMP 767488e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000757d1525 2 bytes JMP 76748caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000757d153d 2 bytes JMP 766bfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000757d1555 2 bytes JMP 766c6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000757d156d 2 bytes JMP 767491a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000757d1585 2 bytes JMP 76748d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000757d159d 2 bytes JMP 767488a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757d15b5 2 bytes JMP 766bfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757d15cd 2 bytes JMP 766cb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757d16b2 2 bytes JMP 7674906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2496] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757d16bd 2 bytes JMP 76748839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000757d1401 2 bytes JMP 766cb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000757d1419 2 bytes JMP 766cb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000757d1431 2 bytes JMP 767490f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000757d144a 2 bytes CALL 766a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757d14dd 2 bytes JMP 767489ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757d14f5 2 bytes JMP 76748bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000757d150d 2 bytes JMP 767488e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000757d1525 2 bytes JMP 76748caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000757d153d 2 bytes JMP 766bfce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000757d1555 2 bytes JMP 766c6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000757d156d 2 bytes JMP 767491a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000757d1585 2 bytes JMP 76748d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000757d159d 2 bytes JMP 767488a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757d15b5 2 bytes JMP 766bfd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757d15cd 2 bytes JMP 766cb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757d16b2 2 bytes JMP 7674906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[5472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757d16bd 2 bytes JMP 76748839 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800107de94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800107dc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107e654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800107ea50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800107e8ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa800428c2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa800428c2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-4 fffffa800428c2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa800428c2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa800428c2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa800428c2c0 Device \Driver\b57xdmp \Device\Scsi\b57xdmp1 fffffa8005aac2c0 Device \Driver\atev6s0b \Device\Scsi\atev6s0b1Port7Path0Target0Lun0 fffffa80059172c0 Device \Driver\atev6s0b \Device\Scsi\atev6s0b1 fffffa80059172c0 Device \Driver\bScsiSDa \Device\Scsi\bScsiSDa1 fffffa80059032c0 Device \Driver\bScsiMSa \Device\Scsi\bScsiMSa1 fffffa80059052c0 Device \FileSystem\Ntfs \Ntfs fffffa80042902c0 Device \Driver\atev6s0b \Device\ScsiPort7 fffffa80059172c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80057f12c0 Device \Driver\cdrom \Device\CdRom0 fffffa80055712c0 Device \Driver\cdrom \Device\CdRom1 fffffa80055712c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80057f12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{54C3B43E-0C57-40AE-A85A-DDA7195DBCF1} fffffa80055a32c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80057f12c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80055a32c0 Device \Driver\atapi \Device\ScsiPort0 fffffa800428c2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80057f12c0 Device \Driver\atapi \Device\ScsiPort1 fffffa800428c2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa800428c2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa800428c2c0 Device \Driver\bScsiSDa \Device\ScsiPort4 fffffa80059032c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D4941C3E-772F-47F1-819B-7DC0EBB302B6} fffffa80055a32c0 Device \Driver\bScsiMSa \Device\ScsiPort5 fffffa80059052c0 Device \Driver\b57xdmp \Device\ScsiPort6 fffffa8005aac2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800428c2c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa800428c2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800529b060] fffffa800529b060 Trace 3 CLASSPNP.SYS[fffff8800140143f] -> nt!IofCallDriver -> [0xfffffa8004d7bcf0] fffffa8004d7bcf0 Trace 5 ACPI.sys[fffff880011a27a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004d7e680] fffffa8004d7e680 Trace \Driver\atapi[0xfffffa8004d26860] -> IRP_MJ_CREATE -> 0xfffffa800428c2c0 fffffa800428c2c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\atev6s0b.SYS fffff88004536000-fffff88004583000 (315392 bytes) ---- Processes - GMER 2.2 ---- Library C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{556E86D3-B648-46D6-B025-D674F9031EC6}\mpengine.dll (*** suspicious ***) @ C:\Program Files\Microsoft Security Client\MsMpEng.exe [992] (Microsoft Malware Protection Engine/Microsoft Corporation SIGNED)(2016-07-27 16:08:02) 000007fefa3c0000 Library C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{556E86D3-B648-46D6-B025-D674F9031EC6}\offreg.992.dll (*** suspicious ***) @ C:\Program Files\Microsoft Security Client\MsMpEng.exe [992] (Offline registry DLL/Microsoft Corporation SIGNED)(2016-07-31 20:18:13) 000007feeded0000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x06 0x10 0x8F 0x0C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x5A 0xEC 0x01 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x6A 0xB5 0x8E 0x31 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x06 0x10 0x8F 0x0C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x5A 0xEC 0x01 0x7F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x6A 0xB5 0x8E 0x31 ... ---- EOF - GMER 2.2 ----