GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-13 10:25:21 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 SAMSUNG_HD322HJ rev.1AC01118 298,09GB Running: gmer.exe; Driver: C:\Users\Kamcio\AppData\Local\Temp\afrdapoc.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1920] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075e42ab1 5 bytes JMP 0000000001178c60 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076061401 2 bytes JMP 7560b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076061419 2 bytes JMP 7560b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076061431 2 bytes JMP 75688f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007606144a 2 bytes CALL 755e489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760614dd 2 bytes JMP 75688822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760614f5 2 bytes JMP 756889f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007606150d 2 bytes JMP 75688718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076061525 2 bytes JMP 75688ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007606153d 2 bytes JMP 755ffca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076061555 2 bytes JMP 756068ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007606156d 2 bytes JMP 75688fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076061585 2 bytes JMP 75688b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007606159d 2 bytes JMP 756886dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760615b5 2 bytes JMP 755ffd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760615cd 2 bytes JMP 7560b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760616b2 2 bytes JMP 75688ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe[3844] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760616bd 2 bytes JMP 75688671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076061401 2 bytes JMP 7560b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076061419 2 bytes JMP 7560b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076061431 2 bytes JMP 75688f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007606144a 2 bytes CALL 755e489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760614dd 2 bytes JMP 75688822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760614f5 2 bytes JMP 756889f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007606150d 2 bytes JMP 75688718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076061525 2 bytes JMP 75688ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007606153d 2 bytes JMP 755ffca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076061555 2 bytes JMP 756068ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007606156d 2 bytes JMP 75688fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076061585 2 bytes JMP 75688b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007606159d 2 bytes JMP 756886dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760615b5 2 bytes JMP 755ffd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760615cd 2 bytes JMP 7560b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760616b2 2 bytes JMP 75688ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3932] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760616bd 2 bytes JMP 75688671 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [988:1508] 0000000000e80d3c Thread C:\Windows\system32\svchost.exe [988:1820] 0000000000e80d3c Thread C:\Windows\system32\svchost.exe [988:1984] 0000000000e80d3c Thread C:\Windows\system32\svchost.exe [988:2448] 0000000001ae0c8c Thread C:\Windows\system32\svchost.exe [988:2452] 0000000001ce0c8c Thread C:\Windows\system32\svchost.exe [988:2456] 0000000001ce0c8c Thread C:\Windows\system32\svchost.exe [988:2460] 0000000001950c8c Thread C:\Windows\system32\svchost.exe [988:2464] 0000000001ae0c8c Thread C:\Windows\system32\svchost.exe [988:2468] 0000000001ce0c8c Thread C:\Windows\system32\svchost.exe [988:2472] 0000000001ae0c8c Thread C:\Windows\system32\svchost.exe [988:2476] 0000000001950c8c Thread C:\Windows\system32\svchost.exe [988:2480] 0000000001950c8c Thread C:\Windows\system32\svchost.exe [988:2528] 0000000001440c8c Thread C:\Windows\system32\svchost.exe [988:2540] 0000000001440c8c Thread C:\Windows\system32\svchost.exe [988:2544] 0000000001440c8c Thread C:\Windows\system32\svchost.exe [988:2856] 0000000000e77378 Thread C:\Windows\system32\svchost.exe [988:2860] 0000000000e77378 Thread C:\Windows\system32\svchost.exe [988:2864] 0000000001947378 Thread C:\Windows\system32\svchost.exe [988:2868] 0000000001947378 Thread C:\Windows\system32\svchost.exe [988:2872] 0000000001cd7378 Thread C:\Windows\system32\svchost.exe [988:2876] 0000000001cd7378 Thread C:\Windows\system32\svchost.exe [988:2880] 0000000001ad7378 Thread C:\Windows\system32\svchost.exe [988:2884] 0000000001ad7378 Thread C:\Windows\system32\svchost.exe [988:2892] 0000000001437378 Thread C:\Windows\system32\svchost.exe [988:2896] 0000000001437378 Thread C:\Windows\SysWOW64\svchost.exe [3584:4020] 000000000039a4a3 Thread C:\Windows\SysWOW64\svchost.exe [3584:4008] 000000000039a4a3 Thread C:\Windows\SysWOW64\svchost.exe [3584:2716] 000000000039a4a3 Thread C:\Windows\SysWOW64\svchost.exe [3584:3600] 000000000039a4a3 Thread C:\Windows\SysWOW64\svchost.exe [3584:3324] 000000000039a4a3 Thread C:\Windows\SysWOW64\rundll32.exe [672:3188] 00000000002ba4a3 Thread C:\Windows\SysWOW64\rundll32.exe [672:3180] 00000000002ba4a3 Thread C:\Windows\SysWOW64\rundll32.exe [672:3760] 00000000002ba4a3 Thread C:\Windows\SysWOW64\rundll32.exe [672:808] 00000000002ba4a3 Thread C:\Windows\SysWOW64\rundll32.exe [672:4056] 00000000002ba4a3 ---- Processes - GMER 2.2 ---- Library C:\Users\Kamcio\AppData\Local\Temp\RarSFX2\TOTALCMD.EXE (*** suspicious ***) @ C:\Users\Kamcio\AppData\Local\Temp\RarSFX2\TOTALCMD.EXE [2676] 0000000000400000 ---- EOF - GMER 2.2 ----