GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-18 14:21:21 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 SPCC_Solid_State_Disk rev.N1114B 223,57GB Running: GMER.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[840] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077a39010 4 bytes [C3, 00, 00, 00] .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076441401 2 bytes JMP 7633b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076441419 2 bytes JMP 7633b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076441431 2 bytes JMP 763b90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007644144a 2 bytes CALL 763148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764414dd 2 bytes JMP 763b89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764414f5 2 bytes JMP 763b8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007644150d 2 bytes JMP 763b88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076441525 2 bytes JMP 763b8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007644153d 2 bytes JMP 7632fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076441555 2 bytes JMP 76336937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007644156d 2 bytes JMP 763b91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076441585 2 bytes JMP 763b8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007644159d 2 bytes JMP 763b88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764415b5 2 bytes JMP 7632fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764415cd 2 bytes JMP 7633b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764416b2 2 bytes JMP 763b906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[1984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764416bd 2 bytes JMP 763b8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[616] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075ca2bdc 5 bytes JMP 0000000000e236f6 .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076441401 2 bytes JMP 7633b263 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076441419 2 bytes JMP 7633b38e C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076441431 2 bytes JMP 763b90f1 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007644144a 2 bytes CALL 763148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764414dd 2 bytes JMP 763b89ea C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764414f5 2 bytes JMP 763b8bc0 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007644150d 2 bytes JMP 763b88e0 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076441525 2 bytes JMP 763b8caa C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007644153d 2 bytes JMP 7632fce8 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076441555 2 bytes JMP 76336937 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007644156d 2 bytes JMP 763b91a9 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076441585 2 bytes JMP 763b8d0a C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007644159d 2 bytes JMP 763b88a4 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764415b5 2 bytes JMP 7632fd81 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764415cd 2 bytes JMP 7633b324 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764416b2 2 bytes JMP 763b906c C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\Steam.exe[2108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764416bd 2 bytes JMP 763b8839 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076441401 2 bytes JMP 7633b263 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076441419 2 bytes JMP 7633b38e C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076441431 2 bytes JMP 763b90f1 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007644144a 2 bytes CALL 763148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764414dd 2 bytes JMP 763b89ea C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764414f5 2 bytes JMP 763b8bc0 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007644150d 2 bytes JMP 763b88e0 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076441525 2 bytes JMP 763b8caa C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007644153d 2 bytes JMP 7632fce8 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076441555 2 bytes JMP 76336937 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007644156d 2 bytes JMP 763b91a9 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076441585 2 bytes JMP 763b8d0a C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007644159d 2 bytes JMP 763b88a4 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764415b5 2 bytes JMP 7632fd81 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764415cd 2 bytes JMP 7633b324 C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764416b2 2 bytes JMP 763b906c C:\Windows\syswow64\kernel32.dll .text E:\GRY\Steam\bin\steamwebhelper.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764416bd 2 bytes JMP 763b8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076441401 2 bytes JMP 7633b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076441419 2 bytes JMP 7633b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076441431 2 bytes JMP 763b90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007644144a 2 bytes CALL 763148ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764414dd 2 bytes JMP 763b89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764414f5 2 bytes JMP 763b8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007644150d 2 bytes JMP 763b88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076441525 2 bytes JMP 763b8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007644153d 2 bytes JMP 7632fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076441555 2 bytes JMP 76336937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007644156d 2 bytes JMP 763b91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076441585 2 bytes JMP 763b8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007644159d 2 bytes JMP 763b88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764415b5 2 bytes JMP 7632fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764415cd 2 bytes JMP 7633b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764416b2 2 bytes JMP 763b906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[4140] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764416bd 2 bytes JMP 763b8839 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE8 0x97 0xA1 0x47 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE8 0x97 0xA1 0x47 ... ---- Files - GMER 2.2 ---- File C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9ca16328d6a19c3bb54d27f819079a24_403aab3f-6e98-403a-afdb-4ccf7214e70b 0 bytes File C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9de2060aeb86b35820ec195f2e23a278_403aab3f-6e98-403a-afdb-4ccf7214e70b 0 bytes File C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\135635792f19daf25122e58ad5131ee2_403aab3f-6e98-403a-afdb-4ccf7214e70b 0 bytes ---- EOF - GMER 2.2 ----