GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-23 10:24:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST31000524NS rev.SN11 931,51GB Running: zje1qj73.exe; Driver: C:\Users\Fifi\AppData\Local\Temp\aftcyaoc.sys ---- Kernel code sections - GMER 2.2 ---- PAGE C:\Windows\system32\drivers\ataport.SYS!DllUnload fffff88000e394a0 12 bytes {MOV RAX, 0xfffffa80069ac2a0; JMP RAX} .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004275c34 12 bytes {MOV RAX, 0xfffffa80082642a0; JMP RAX} ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[1744] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075521465 2 bytes [52, 75] .text C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe[1744] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000755214bb 2 bytes [52, 75] .text ... * 2 .text C:\Users\Fifi\AppData\Roaming\Geunfy\Yurejjaeb.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075521465 2 bytes [52, 75] .text C:\Users\Fifi\AppData\Roaming\Geunfy\Yurejjaeb.exe[2440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755214bb 2 bytes [52, 75] .text ... * 2 .text C:\Users\Fifi\AppData\Roaming\Hemkajdoa\Sejheb.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075521465 2 bytes [52, 75] .text C:\Users\Fifi\AppData\Roaming\Hemkajdoa\Sejheb.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755214bb 2 bytes [52, 75] .text ... * 2 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[2604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075521465 2 bytes [52, 75] .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[2604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755214bb 2 bytes [52, 75] .text ... * 2 .text C:\Program Files (x86)\Steam\Steam.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075521465 2 bytes [52, 75] .text C:\Program Files (x86)\Steam\Steam.exe[2620] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755214bb 2 bytes [52, 75] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075521465 2 bytes [52, 75] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[1560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755214bb 2 bytes [52, 75] .text ... * 2 .text C:\PROGRA~2\RAPTRI~1\Raptr\raptr_im.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075521465 2 bytes [52, 75] .text C:\PROGRA~2\RAPTRI~1\Raptr\raptr_im.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755214bb 2 bytes [52, 75] .text ... * 2 .text C:\Program Files\Yhid\Ezolbusp.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075521465 2 bytes [52, 75] .text C:\Program Files\Yhid\Ezolbusp.exe[3320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755214bb 2 bytes [52, 75] .text ... * 2 .text G:\00-Diagnostyka\zje1qj73.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075521465 2 bytes [52, 75] .text G:\00-Diagnostyka\zje1qj73.exe[4680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755214bb 2 bytes [52, 75] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010a3650] \SystemRoot\System32\Drivers\spqg.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010a35dc] \SystemRoot\System32\Drivers\spqg.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800106e35c] \SystemRoot\System32\Drivers\spqg.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800106e224] \SystemRoot\System32\Drivers\spqg.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800106ea24] \SystemRoot\System32\Drivers\spqg.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800106eba0] \SystemRoot\System32\Drivers\spqg.sys [unknown section] ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80069b42c0 Device \Driver\atapi \Device\Ide\IdePort4 fffffa80069b42c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80069b42c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80069b42c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80069b42c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80069b42c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80069b42c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80069b42c0 Device \Driver\aaktoakp \Device\Scsi\aaktoakp1Port6Path0Target0Lun0 fffffa80082622c0 Device \Driver\aaktoakp \Device\Scsi\aaktoakp1 fffffa80082622c0 Device \FileSystem\Ntfs \Ntfs fffffa8006a972c0 Device \Driver\usbehci \Device\USBPDO-5 fffffa800826b2c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa80082662c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa80082662c0 Device \Driver\cdrom \Device\CdRom0 fffffa80079bd2c0 Device \Driver\cdrom \Device\CdRom1 fffffa80079bd2c0 Device \Driver\usbohci \Device\USBPDO-6 fffffa80082662c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa80082662c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80082662c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa800826b2c0 Device \Driver\usbehci \Device\USBFDO-5 fffffa800826b2c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa80082662c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa80082662c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80069b02c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9302CA0F-D189-4E6A-ADF3-BA372C9B8881} fffffa8007fc02c0 Device \Driver\volmgr \Device\FtControl fffffa80069b02c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80069b02c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80069b02c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80069b02c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa80069b02c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007fc02c0 Device \Driver\usbohci \Device\USBFDO-6 fffffa80082662c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa80082662c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80069b42c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa800826b2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80082662c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80069b42c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80069b42c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80069b42c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80069b42c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80069b42c0 Device \Driver\aaktoakp \Device\ScsiPort6 fffffa80082622c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80069b42c0]<< spqg.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys fffffa80069b42c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b96060] fffffa8007b96060 Trace 3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007a81680] fffffa8007a81680 Trace \Driver\atapi[0xfffffa8006ae1060] -> IRP_MJ_CREATE -> 0xfffffa80069b42c0 fffffa80069b42c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\aaktoakp.SYS fffff8801473d000-fffff88014782000 (282624 bytes) ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2E 0x4D 0x2C 0xAA ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB2 0x09 0x44 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB3 0x89 0x60 0xB3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2E 0x4D 0x2C 0xAA ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB2 0x09 0x44 0x45 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB3 0x89 0x60 0xB3 ... ---- EOF - GMER 2.2 ----