GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-07 23:42:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 ST3250310AS rev.3.AAC 232,89GB Running: 7eq2hzgu.exe; Driver: C:\Users\Arek\AppData\Local\Temp\aftcqaog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000145600 7 bytes [00, 66, F3, FF, 41, 70, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000145608 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Windows\System32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007750de80 5 bytes JMP 0000000000f51000 .text C:\Windows\System32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007750e3d0 5 bytes JMP 0000000000f50000 .text C:\Windows\System32\svchost.exe[852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007750e480 5 bytes JMP 0000000000f52000 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007750de80 5 bytes JMP 0000000000c21000 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007750e3d0 5 bytes JMP 0000000000c20000 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007750e480 5 bytes JMP 0000000000c22000 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007750de80 5 bytes JMP 0000000000ed1000 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007750e3d0 5 bytes JMP 0000000000ed0000 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007750e480 5 bytes JMP 0000000000ed2000 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007750de80 5 bytes JMP 0000000001591000 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007750e3d0 5 bytes JMP 0000000001590000 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007750e480 5 bytes JMP 0000000001592000 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007750de80 5 bytes JMP 0000000000d01000 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007750e3d0 5 bytes JMP 0000000000d00000 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007750e480 5 bytes JMP 0000000000d02000 .text C:\Windows\Explorer.EXE[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000000007750de80 5 bytes JMP 0000000002611000 .text C:\Windows\Explorer.EXE[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000000007750e3d0 5 bytes JMP 0000000002610000 .text C:\Windows\Explorer.EXE[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007750e480 5 bytes JMP 0000000002612000 .text C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx 00000000776c002c 5 bytes JMP 00000000004d1000 .text C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess 00000000776c0854 5 bytes JMP 00000000004d0000 .text C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe[2620] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000776c095c 5 bytes JMP 00000000004d2000 ---- EOF - GMER 2.2 ----