GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-03 19:31:30 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000063 ATA_____ rev.1A01 931,51GB Running: be9i0ing.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 26 00000000737813c6 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 74 00000000737813f6 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 257 00000000737814ad 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 303 00000000737814db 2 bytes [78, 73] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 79 0000000073781577 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 175 00000000737815d7 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 620 0000000073781794 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 921 00000000737818c1 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 322 0000000073511a22 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 496 0000000073511ad0 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 552 0000000073511b08 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 730 0000000073511bba 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[2708] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 762 0000000073511bda 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 26 00000000737813c6 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 74 00000000737813f6 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 257 00000000737814ad 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 303 00000000737814db 2 bytes [78, 73] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 79 0000000073781577 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 175 00000000737815d7 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 620 0000000073781794 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 921 00000000737818c1 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 322 0000000073511a22 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 496 0000000073511ad0 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 552 0000000073511b08 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 730 0000000073511bba 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[4016] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 762 0000000073511bda 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 26 00000000737813c6 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 74 00000000737813f6 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 257 00000000737814ad 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 303 00000000737814db 2 bytes [78, 73] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 79 0000000073781577 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 175 00000000737815d7 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 620 0000000073781794 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 921 00000000737818c1 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 322 0000000073511a22 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 496 0000000073511ad0 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 552 0000000073511b08 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 730 0000000073511bba 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1228] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 762 0000000073511bda 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000771d1465 2 bytes [1D, 77] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000771d14bb 2 bytes [1D, 77] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 26 00000000737813c6 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 74 00000000737813f6 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 257 00000000737814ad 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathW + 303 00000000737814db 2 bytes [78, 73] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 79 0000000073781577 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 175 00000000737815d7 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 620 0000000073781794 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\SHFolder.dll!SHGetFolderPathA + 921 00000000737818c1 2 bytes [78, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 322 0000000073511a22 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 496 0000000073511ad0 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 552 0000000073511b08 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 730 0000000073511bba 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 762 0000000073511bda 2 bytes [51, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000737311a8 2 bytes [73, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000737313a8 2 bytes [73, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000073731422 2 bytes [73, 73] .text C:\Windows\SysWOW64\rundll32.exe[1548] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000073731498 2 bytes [73, 73] ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\rundll32.exe [1548:2784] 0000000002ea4720 Thread C:\Windows\SysWOW64\rundll32.exe [1548:2012] 0000000002ffb7ac Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [776:3624] 000007fefb692ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [776:3500] 000007feef0fd618 Thread C:\Windows\System32\svchost.exe [1396:3212] 000007fef3959688 ---- Processes - GMER 2.1 ---- Library c:\progra~3\df3a289.dot (*** suspicious ***) @ C:\Windows\system32\svchost.exe [744] (Non-COM WMI Event Provision APIs/Microsoft Corporation)(2014-09-07 05:04:10) 00000000719e0000 Library c:\progra~3\df3a289.dot (*** suspicious ***) @ C:\Windows\Explorer.EXE [3060] (Non-COM WMI Event Provision APIs/Microsoft Corporation)(2014-09-07 05:04:10) 00000000719e0000 Library c:\progra~3\982a3fd.cpp (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [2708](2014-09-07 05:02:08) 0000000073740000 Library C:\PROGRA~3\982A3FD.cpp (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [4016](2014-09-07 05:02:08) 0000000073740000 Library C:\PROGRA~3\982A3FD.cpp (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [1228](2014-09-07 05:02:08) 0000000073740000 Library c:\progra~3\982a3fd.cpp (*** suspicious ***) @ C:\Windows\SysWOW64\rundll32.exe [1548](2014-09-07 05:02:08) 0000000073740000 ---- EOF - GMER 2.1 ----