GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-08 21:44:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Samsung_SSD_840_EVO_120GB rev.EXT0BB6Q 111,79GB Running: mo9xejdp.exe; Driver: C:\Users\Chimney\AppData\Local\Temp\awtiafoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Program Files (x86)\Bloody6\Bloody6\Bloody6.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Bloody6\Bloody6\Bloody6.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe[2740] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 000000006b8c13c6 2 bytes [8C, 6B] .text C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe[2740] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 000000006b8c13f6 2 bytes [8C, 6B] .text C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe[2740] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 000000006b8c14ad 2 bytes [8C, 6B] .text C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe[2740] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 000000006b8c14db 2 bytes [8C, 6B] .text ... * 2 .text C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe[2740] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 000000006b8c1577 2 bytes [8C, 6B] .text C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe[2740] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 000000006b8c15d7 2 bytes [8C, 6B] .text C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe[2740] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 000000006b8c1794 2 bytes [8C, 6B] .text C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe[2740] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 000000006b8c18c1 2 bytes [8C, 6B] .text C:\Windows\SysWOW64\rundll32.exe[2760] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 000000006b8c13c6 2 bytes [8C, 6B] .text C:\Windows\SysWOW64\rundll32.exe[2760] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 000000006b8c13f6 2 bytes [8C, 6B] .text C:\Windows\SysWOW64\rundll32.exe[2760] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 000000006b8c14ad 2 bytes [8C, 6B] .text C:\Windows\SysWOW64\rundll32.exe[2760] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 000000006b8c14db 2 bytes [8C, 6B] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[2760] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 000000006b8c1577 2 bytes [8C, 6B] .text C:\Windows\SysWOW64\rundll32.exe[2760] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 000000006b8c15d7 2 bytes [8C, 6B] .text C:\Windows\SysWOW64\rundll32.exe[2760] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 000000006b8c1794 2 bytes [8C, 6B] .text C:\Windows\SysWOW64\rundll32.exe[2760] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 000000006b8c18c1 2 bytes [8C, 6B] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Dropbox\Client\Dropbox.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[2232] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772efc45 7 bytes {MOV EDX, 0x6385b018; JMP RDX} .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[2232] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[1592] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 000000006adb1a22 2 bytes [DB, 6A] .text C:\Windows\SysWOW64\PnkBstrA.exe[1592] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 000000006adb1ad0 2 bytes [DB, 6A] .text C:\Windows\SysWOW64\PnkBstrA.exe[1592] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 000000006adb1b08 2 bytes [DB, 6A] .text C:\Windows\SysWOW64\PnkBstrA.exe[1592] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 000000006adb1bba 2 bytes [DB, 6A] .text C:\Windows\SysWOW64\PnkBstrA.exe[1592] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 000000006adb1bda 2 bytes [DB, 6A] .text C:\Windows\SysWOW64\PnkBstrA.exe[1592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[4696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe[4696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[5220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[5220] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[5236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CCXProcess\libs\node.exe[5236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 .text C:\Program Files (x86)\Last.fm\Last.fm Scrobbler.exe[5980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000750a1465 2 bytes [0A, 75] .text C:\Program Files (x86)\Last.fm\Last.fm Scrobbler.exe[5980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000750a14bb 2 bytes [0A, 75] .text ... * 2 ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [6020:800] 000007feeaa79688 ---- EOF - GMER 2.2 ----