GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-13 12:45:27 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.ES2Z 298,09GB Running: 364nw5dr.exe; Driver: C:\Users\GO9495~1\AppData\Local\Temp\aftcraog.sys ---- User code sections - GMER 2.2 ---- .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075261401 2 bytes JMP 75e5b233 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075261419 2 bytes JMP 75e5b35e C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075261431 2 bytes JMP 75ed9011 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007526144a 2 bytes CALL 75e348ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752614dd 2 bytes JMP 75ed890a C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752614f5 2 bytes JMP 75ed8ae0 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007526150d 2 bytes JMP 75ed8800 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075261525 2 bytes JMP 75ed8bca C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007526153d 2 bytes JMP 75e4fcc0 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075261555 2 bytes JMP 75e56907 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007526156d 2 bytes JMP 75ed90c9 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075261585 2 bytes JMP 75ed8c2a C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007526159d 2 bytes JMP 75ed87c4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752615b5 2 bytes JMP 75e4fd59 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752615cd 2 bytes JMP 75e5b2f4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752616b2 2 bytes JMP 75ed8f8c C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752616bd 2 bytes JMP 75ed8759 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075261401 2 bytes JMP 75e5b233 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075261419 2 bytes JMP 75e5b35e C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075261431 2 bytes JMP 75ed9011 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007526144a 2 bytes CALL 75e348ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752614dd 2 bytes JMP 75ed890a C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752614f5 2 bytes JMP 75ed8ae0 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007526150d 2 bytes JMP 75ed8800 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075261525 2 bytes JMP 75ed8bca C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007526153d 2 bytes JMP 75e4fcc0 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075261555 2 bytes JMP 75e56907 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007526156d 2 bytes JMP 75ed90c9 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075261585 2 bytes JMP 75ed8c2a C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007526159d 2 bytes JMP 75ed87c4 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752615b5 2 bytes JMP 75e4fd59 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752615cd 2 bytes JMP 75e5b2f4 C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752616b2 2 bytes JMP 75ed8f8c C:\windows\syswow64\kernel32.dll .text C:\Users\GO9495~1\AppData\Local\Temp\TeamViewer\TeamViewer.exe[2704] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752616bd 2 bytes JMP 75ed8759 C:\windows\syswow64\kernel32.dll ---- Threads - GMER 2.2 ---- Thread C:\windows\system32\svchost.exe [108:3644] 000007fefaa50ea8 Thread C:\windows\system32\svchost.exe [108:3648] 000007fefaa49db0 Thread C:\windows\system32\svchost.exe [108:3660] 000007fefaa4aa10 Thread C:\windows\system32\svchost.exe [108:3664] 000007fefaa51c94 Thread C:\windows\system32\svchost.exe [108:804] 000007feea78b1b0 Thread C:\windows\system32\svchost.exe [1052:1872] 000007fef798506c Thread C:\windows\system32\svchost.exe [1052:1468] 000007fefaec1c20 Thread C:\windows\system32\svchost.exe [1052:1748] 000007fefaec1c20 Thread C:\windows\system32\svchost.exe [1052:2292] 000007fef893818c Thread C:\windows\system32\svchost.exe [1052:4740] 000007fef9625124 Thread C:\windows\system32\svchost.exe [1052:3344] 000007fef4054164 Thread C:\windows\system32\svchost.exe [1052:3820] 000007feeba31ab0 Thread C:\windows\system32\svchost.exe [1052:3732] 000007fef5885170 Thread C:\windows\system32\svchost.exe [1052:3508] 000007fef5885170 Thread C:\windows\system32\svchost.exe [1052:4700] 000007feeafea160 Thread C:\windows\system32\svchost.exe [1232:3532] 000007fef5885170 Thread C:\windows\System32\spoolsv.exe [1536:2524] 000007fef66f10c8 Thread C:\windows\System32\spoolsv.exe [1536:2532] 000007fef66b6144 Thread C:\windows\System32\spoolsv.exe [1536:2536] 000007fef64a5fd0 Thread C:\windows\System32\spoolsv.exe [1536:2540] 000007fef6493438 Thread C:\windows\System32\spoolsv.exe [1536:2544] 000007fef64a63ec Thread C:\windows\System32\spoolsv.exe [1536:2556] 000007fef6b05e5c Thread C:\windows\System32\svchost.exe [1860:2080] 000007fef75f0360 Thread C:\windows\System32\svchost.exe [1860:2084] 000007fef75ce460 Thread C:\windows\System32\svchost.exe [1860:2132] 000007fef75ce450 Thread C:\windows\System32\svchost.exe [1860:2136] 000007fef7595570 Thread C:\windows\System32\svchost.exe [1860:2140] 000007fef75ca130 Thread C:\windows\System32\svchost.exe [1860:2144] 000007fef7595560 Thread C:\windows\System32\svchost.exe [1860:2148] 000007fef76182a0 Thread C:\ProgramData\DatacardService\HWDeviceService64.exe [2072:2096] 000007fefe25a808 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4520:4668] 000007fefb4b2af8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@SEMEnabled 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@SEMTimeOutValue 10 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@WorkerInterval 15 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{00856b19-18bd-4198-83c1-30cfcb16a7ef} Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885a7d94f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885a7d94f@a47760a32303 0x94 0x29 0x93 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885a7d94f@1887966c1d20 0xCC 0xA2 0x34 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885a7d94f@2c54cf303bd0 0x08 0xD6 0xA0 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885a7d94f@38f23e9ee91a 0x2D 0xF0 0x25 0x61 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{18E852B4-4745-43E4-B022-90969CA0A5EB}@LeaseObtainedTime 1457866843 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{18E852B4-4745-43E4-B022-90969CA0A5EB}@T1 1457868643 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{18E852B4-4745-43E4-B022-90969CA0A5EB}@T2 1457869993 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{18E852B4-4745-43E4-B022-90969CA0A5EB}@LeaseTerminatesTime 1457870443 Reg HKLM\SYSTEM\CurrentControlSet\services\{18E852B4-4745-43E4-B022-90969CA0A5EB}\Parameters\Tcpip@LeaseObtainedTime 1457866843 Reg HKLM\SYSTEM\CurrentControlSet\services\{18E852B4-4745-43E4-B022-90969CA0A5EB}\Parameters\Tcpip@T1 1457868643 Reg HKLM\SYSTEM\CurrentControlSet\services\{18E852B4-4745-43E4-B022-90969CA0A5EB}\Parameters\Tcpip@T2 1457869993 Reg HKLM\SYSTEM\CurrentControlSet\services\{18E852B4-4745-43E4-B022-90969CA0A5EB}\Parameters\Tcpip@LeaseTerminatesTime 1457870443 Reg HKLM\SYSTEM\ControlSet002\Control\WDI\Config@SEMEnabled 1 Reg HKLM\SYSTEM\ControlSet002\Control\WDI\Config@SEMTimeOutValue 10 Reg HKLM\SYSTEM\ControlSet002\Control\WDI\Config@WorkerInterval 15 Reg HKLM\SYSTEM\ControlSet002\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{00856b19-18bd-4198-83c1-30cfcb16a7ef} Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885a7d94f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885a7d94f@a47760a32303 0x94 0x29 0x93 0x15 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885a7d94f@1887966c1d20 0xCC 0xA2 0x34 0x84 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885a7d94f@2c54cf303bd0 0x08 0xD6 0xA0 0x32 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c01885a7d94f@38f23e9ee91a 0x2D 0xF0 0x25 0x61 ... ---- EOF - GMER 2.2 ----