GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-03 22:27:58 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD10EZEX-00RKKA0 rev.80.00A80 931,51GB Running: gmer.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[1896] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2036] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000071851a22 2 bytes [85, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000071851ad0 2 bytes [85, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000071851b08 2 bytes [85, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000071851bba 2 bytes [85, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000071851bda 2 bytes [85, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3960] C:\Windows\syswow64\USER32.dll!GetMenu + 412 0000000075fd51dd 7 bytes JMP 000000011003ac50 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3960] C:\Windows\syswow64\USER32.dll!PeekMessageA + 407 0000000075fd610b 7 bytes JMP 000000011003b000 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3960] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW + 131 0000000075fdc6c1 7 bytes JMP 000000011003abc0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3960] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA + 199 000000007601fc98 7 bytes JMP 000000011003af50 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3960] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW + 52 000000007601fcd1 7 bytes JMP 000000011003adf0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3960] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 31 000000007601fcf5 7 bytes JMP 000000011003af00 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 .text D:\Program Files\Steam\Steam.exe[3980] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text D:\Program Files\Steam\Steam.exe[3980] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 .text D:\Program Files\Steam\bin\steamwebhelper.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text D:\Program Files\Steam\bin\steamwebhelper.exe[4796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[2084] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[2084] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 .text C:\Program Files (x86)\BitTorrent\BitTorrent.exe[4208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text C:\Program Files (x86)\BitTorrent\BitTorrent.exe[4208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 .text D:\Program Files\Steam\bin\steamwebhelper.exe[4552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text D:\Program Files\Steam\bin\steamwebhelper.exe[4552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 .text D:\Program Files\Steam\bin\steamwebhelper.exe[2168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text D:\Program Files\Steam\bin\steamwebhelper.exe[2168] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f71465 2 bytes [F7, 74] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f714bb 2 bytes [F7, 74] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef326741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef3265f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef3265674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef3265e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef3267f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef3266a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef3266ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef3267b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef3267ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef32678b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef3264fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef3265d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2760] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef3267584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Processes - GMER 2.1 ---- Process C:\Users\User\AppData\Roaming\TornTV.com\TornTVSvc.exe (*** suspicious ***) @ C:\Users\User\AppData\Roaming\TornTV.com\TornTVSvc.exe [2532](2014-10-22 13:08:36) 0000000000880000 Process C:\Users\User\AppData\Local\Temp\Rar$EXa0.013\gmer.exe (*** suspicious ***) @ C:\Users\User\AppData\Local\Temp\Rar$EXa0.013\gmer.exe [4504](2014-11-03 18:57:36) 0000000000400000 ---- EOF - GMER 2.1 ----