GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-24 11:41:15 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000071 ST1000DM rev.CC49 931,51GB Running: hl13j9x6.exe; Driver: C:\Users\Mati\AppData\Local\Temp\aftciaoc.sys ---- User code sections - GMER 2.1 ---- .text ... * 9 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\kernel32.dll!LoadLibraryA 0000000075a7498f 5 bytes JMP 00000001713cc730 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\kernel32.dll!LoadLibraryExA 0000000075a748cb 5 bytes JMP 00000001713cc910 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 0000000075a74915 5 bytes JMP 00000001713cca10 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\kernel32.dll!LoadLibraryW 0000000075a748e3 5 bytes JMP 00000001713cc820 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075db9d0b 5 bytes JMP 00000001713cf6f0 .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755114dd 2 bytes JMP 75b188c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075511555 2 bytes JMP 75a968ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075511419 2 bytes JMP 75a9b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755114f5 2 bytes JMP 75b18aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075511525 2 bytes JMP 75b18b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755115b5 2 bytes JMP 75a8fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007551153d 2 bytes JMP 75a8fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755115cd 2 bytes JMP 75a9b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075511401 2 bytes JMP 75a9b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075511431 2 bytes JMP 75b18fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007551144a 2 bytes CALL 75a7489d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075511585 2 bytes JMP 75b18bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755116b2 2 bytes JMP 75b18f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755116bd 2 bytes JMP 75b18713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007551156d 2 bytes JMP 75b19089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007551159d 2 bytes JMP 75b1877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2544] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007551150d 2 bytes JMP 75b187ba C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files (x86)\NVIDIA Corporation\OSC\nvosc.exe[2936] @ C:\Program Files (x86)\NVIDIA Corporation\OSC\libcef.dll[KERNEL32.dll!DuplicateHandle] [7fee8b08cd0] C:\Program Files (x86)\NVIDIA Corporation\OSC\libcef.dll ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2508] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075f72ab1 5 bytes JMP 0000000100121053 .text C:\Windows\SysWOW64\PnkBstrA.exe[3332] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000072d817fa 2 bytes CALL 75a711a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3332] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000072d81860 2 bytes CALL 75a711a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3332] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000072d8194d 2 bytes JMP 7733cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3332] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000072d81942 2 bytes JMP 77337089 C:\Windows\syswow64\WS2_32.dll ---- Processes - GMER 2.1 ---- Library D:\instalki\FRST64.exe (*** suspicious ***) @ D:\instalki\FRST64.exe [6176] 000000013f6d0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 2983 Reg HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\Interfaces\{58fec878-4b9c-4cc6-9b71-6c095f0d8e08}@Dhcpv6State 0 ---- EOF - GMER 2.1 ----