GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-09-17 13:32:33
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP7T0L0-d TS256GSSD370 rev.N1114B 238,47GB
Running: gmer.exe; Driver: C:\Users\Kratos\AppData\Local\Temp\afrdapob.sys


---- User code sections - GMER 2.1 ----

.text  C:\Windows\SysWOW64\PnkBstrA.exe[1944] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82                                                 00000000738017fa 2 bytes CALL 752511a9 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[1944] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88                                             0000000073801860 2 bytes CALL 752511a9 C:\Windows\syswow64\kernel32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[1944] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98                                           0000000073801942 2 bytes JMP 764a7089 C:\Windows\syswow64\WS2_32.dll
.text  C:\Windows\SysWOW64\PnkBstrA.exe[1944] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109                                          000000007380194d 2 bytes JMP 764acba6 C:\Windows\syswow64\WS2_32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                 0000000076a21401 2 bytes JMP 7527b20b C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                   0000000076a21419 2 bytes JMP 7527b336 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                 0000000076a21431 2 bytes JMP 752f8f39 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                 0000000076a2144a 2 bytes CALL 75254885 C:\Windows\syswow64\kernel32.dll
.text  ...                                                                                                                              * 9
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                    0000000076a214dd 2 bytes JMP 752f8832 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17             0000000076a214f5 2 bytes JMP 752f8a08 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                    0000000076a2150d 2 bytes JMP 752f8728 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17             0000000076a21525 2 bytes JMP 752f8af2 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                   0000000076a2153d 2 bytes JMP 7526fc98 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                        0000000076a21555 2 bytes JMP 752768df C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                 0000000076a2156d 2 bytes JMP 752f8ff1 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                   0000000076a21585 2 bytes JMP 752f8b52 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                      0000000076a2159d 2 bytes JMP 752f86ec C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                   0000000076a215b5 2 bytes JMP 7526fd31 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                 0000000076a215cd 2 bytes JMP 7527b2cc C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20             0000000076a216b2 2 bytes JMP 752f8eb4 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31             0000000076a216bd 2 bytes JMP 752f8681 C:\Windows\syswow64\kernel32.dll

---- User IAT/EAT - GMER 2.1 ----

IAT    C:\Windows\system32\winlogon.exe[740] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress]                             [7fefa742840] c:\windows\system32\uxtuneup.dll
IAT    C:\Windows\system32\winlogon.exe[740] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile]                                   [7fefa742720] c:\windows\system32\uxtuneup.dll
IAT    C:\Windows\system32\winlogon.exe[740] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress]                        [7fefa742840] c:\windows\system32\uxtuneup.dll
IAT    C:\Windows\system32\winlogon.exe[740] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!ReadFile]                              [7fefa742720] c:\windows\system32\uxtuneup.dll
IAT    C:\Windows\system32\svchost.exe[1052] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress]                        [7fefa742840] c:\windows\system32\uxtuneup.dll
IAT    C:\Windows\system32\svchost.exe[1052] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile]                              [7fefa742720] c:\windows\system32\uxtuneup.dll
IAT    C:\Windows\system32\svchost.exe[1052] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress]                             [7fefa742840] c:\windows\system32\uxtuneup.dll
IAT    C:\Windows\system32\svchost.exe[1052] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile]                                   [7fefa742720] c:\windows\system32\uxtuneup.dll

---- Files - GMER 2.1 ----

File   C:\Users\Kratos\AppData\Local\Mozilla\Firefox\Profiles\hj0ynx7e.default\cache2\entries\B14D1EB028BFBEFF249090076A1329D16DF0B4F1  15791 bytes
File   C:\Users\Kratos\AppData\Local\Mozilla\Firefox\Profiles\hj0ynx7e.default\cache2\entries\CD981F7B70757BE5F671524C3BE693371A92C7E1  0 bytes
File   C:\Users\Kratos\AppData\Local\Mozilla\Firefox\Profiles\hj0ynx7e.default\cache2\entries\BF3B4F70C26B5E476023BCFAC17D76339E5FE4B3  0 bytes
File   C:\Users\Kratos\AppData\Local\Mozilla\Firefox\Profiles\hj0ynx7e.default\cache2\entries\122B2F1892C75834D04B81EBE1B2E77AAB7009BB  0 bytes
File   C:\Users\Kratos\AppData\Local\Mozilla\Firefox\Profiles\hj0ynx7e.default\cache2\entries\8A4F9937A5A65FE08F799514C84F27E52E20090F  32282 bytes
File   C:\Users\Kratos\AppData\Local\Mozilla\Firefox\Profiles\hj0ynx7e.default\cache2\entries\7139EDD146E9B01C5714A63B33D7873E1CB45436  4098 bytes
File   C:\Users\Kratos\AppData\Local\Mozilla\Firefox\Profiles\hj0ynx7e.default\cache2\entries\5AAC85CAC96F98537C07461522E0E26951303E07  0 bytes

---- EOF - GMER 2.1 ----