GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-06 17:03:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK6475GSX rev.GT001M 596,17GB Running: lem86rpe.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002bad000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002bad02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\avastui.exe[1824] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075dc8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077451401 2 bytes JMP 75deb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077451419 2 bytes JMP 75deb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077451431 2 bytes JMP 75e68ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007745144a 2 bytes CALL 75dc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774514dd 2 bytes JMP 75e687a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774514f5 2 bytes JMP 75e68978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007745150d 2 bytes JMP 75e68698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077451525 2 bytes JMP 75e68a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007745153d 2 bytes JMP 75ddfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077451555 2 bytes JMP 75de68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007745156d 2 bytes JMP 75e68f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077451585 2 bytes JMP 75e68ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007745159d 2 bytes JMP 75e6865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774515b5 2 bytes JMP 75ddfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774515cd 2 bytes JMP 75deb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774516b2 2 bytes JMP 75e68e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ClickCaption_1.10.0.5\Service\ccsvc.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774516bd 2 bytes JMP 75e685f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077451401 2 bytes JMP 75deb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077451419 2 bytes JMP 75deb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077451431 2 bytes JMP 75e68ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007745144a 2 bytes CALL 75dc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000774514dd 2 bytes JMP 75e687a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000774514f5 2 bytes JMP 75e68978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007745150d 2 bytes JMP 75e68698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077451525 2 bytes JMP 75e68a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007745153d 2 bytes JMP 75ddfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077451555 2 bytes JMP 75de68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007745156d 2 bytes JMP 75e68f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077451585 2 bytes JMP 75e68ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007745159d 2 bytes JMP 75e6865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000774515b5 2 bytes JMP 75ddfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000774515cd 2 bytes JMP 75deb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000774516b2 2 bytes JMP 75e68e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000774516bd 2 bytes JMP 75e685f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000077451401 2 bytes JMP 75deb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000077451419 2 bytes JMP 75deb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000077451431 2 bytes JMP 75e68ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 000000007745144a 2 bytes CALL 75dc48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000774514dd 2 bytes JMP 75e687a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000774514f5 2 bytes JMP 75e68978 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 000000007745150d 2 bytes JMP 75e68698 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000077451525 2 bytes JMP 75e68a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 000000007745153d 2 bytes JMP 75ddfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000077451555 2 bytes JMP 75de68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 000000007745156d 2 bytes JMP 75e68f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000077451585 2 bytes JMP 75e68ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 000000007745159d 2 bytes JMP 75e6865c C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000774515b5 2 bytes JMP 75ddfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000774515cd 2 bytes JMP 75deb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000774516b2 2 bytes JMP 75e68e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\user\Downloads\OTL.exe[2172] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000774516bd 2 bytes JMP 75e685f1 C:\Windows\syswow64\kernel32.dll ---- Files - GMER 2.1 ---- File C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\mzl5xuun.default\cache2\entries\8FE106E15FC15667F3CBCB7BD4913E508A9EAAEB 3309 bytes File C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\mzl5xuun.default\cache2\entries\D6B06B294B5AE95827B8140619B2D8108EFDAAA2 3307 bytes File C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\mzl5xuun.default\cache2\entries\28E984440A6A0F5C7ECC4F6D7F19B38049F11133 3447 bytes File C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\mzl5xuun.default\cache2\entries\4CB65FDA10CE67A813A552291B6E04BB54EB7573 3290 bytes File C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\mzl5xuun.default\cache2\entries\164C30879B23DBF3E97B6C29D69A3F6DE983BFE4 3271 bytes ---- EOF - GMER 2.1 ----