GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-14 22:56:23 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-4 WDC_WD5000AAKS-00V1A0 rev.05.01D05 465,76GB Running: b8j3lz8s.exe; Driver: C:\Users\Adam\AppData\Local\Temp\aftcqaow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000770e1401 2 bytes JMP 763eeb26 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000770e1419 2 bytes JMP 763fb513 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000770e1431 2 bytes JMP 76478609 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000770e144a 2 bytes CALL 763d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770e14dd 2 bytes JMP 76477efe C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770e14f5 2 bytes JMP 764780d8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000770e150d 2 bytes JMP 76477df4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000770e1525 2 bytes JMP 764781c2 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000770e153d 2 bytes JMP 763ef088 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000770e1555 2 bytes JMP 763fb885 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000770e156d 2 bytes JMP 764786c1 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000770e1585 2 bytes JMP 76478222 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000770e159d 2 bytes JMP 76477db8 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770e15b5 2 bytes JMP 763ef121 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770e15cd 2 bytes JMP 763fb29f C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770e16b2 2 bytes JMP 76478584 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1260] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770e16bd 2 bytes JMP 76477d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000770e1401 2 bytes JMP 763eeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000770e1419 2 bytes JMP 763fb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000770e1431 2 bytes JMP 76478609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000770e144a 2 bytes CALL 763d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770e14dd 2 bytes JMP 76477efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770e14f5 2 bytes JMP 764780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000770e150d 2 bytes JMP 76477df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000770e1525 2 bytes JMP 764781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000770e153d 2 bytes JMP 763ef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000770e1555 2 bytes JMP 763fb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000770e156d 2 bytes JMP 764786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000770e1585 2 bytes JMP 76478222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000770e159d 2 bytes JMP 76477db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770e15b5 2 bytes JMP 763ef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770e15cd 2 bytes JMP 763fb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770e16b2 2 bytes JMP 76478584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\XTab\ProtectService.exe[1520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770e16bd 2 bytes JMP 76477d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000770e1401 2 bytes JMP 763eeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000770e1419 2 bytes JMP 763fb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000770e1431 2 bytes JMP 76478609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000770e144a 2 bytes CALL 763d1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770e14dd 2 bytes JMP 76477efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770e14f5 2 bytes JMP 764780d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000770e150d 2 bytes JMP 76477df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000770e1525 2 bytes JMP 764781c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000770e153d 2 bytes JMP 763ef088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000770e1555 2 bytes JMP 763fb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000770e156d 2 bytes JMP 764786c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000770e1585 2 bytes JMP 76478222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000770e159d 2 bytes JMP 76477db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770e15b5 2 bytes JMP 763ef121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770e15cd 2 bytes JMP 763fb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770e16b2 2 bytes JMP 76478584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\iWebar\67455cff-43dc-490b-ace5-6ba279c9615b-1-6.exe[2452] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770e16bd 2 bytes JMP 76477d4d C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1260] (Windows SysTool Service/SysTool PasSame LIMITED)(2015-02-13 11:37:18) 0000000000060000 Process C:\ProgramData\DatacardService\HWDeviceService64.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\HWDeviceService64.exe [1480](2011-03-14 15:27:34) 000000013fee0000 Process C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1616](2015-02-10 20:32:47) 0000000000400000 Library C:\ProgramData\Internet Manager\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1616](2015-02-10 20:32:47) 000000006fbc0000 Library C:\ProgramData\Internet Manager\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1616](2015-02-10 20:32:47) 000000006e940000 Library C:\ProgramData\Internet Manager\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1616](2015-02-10 20:32:47) 000000006a1c0000 Library C:\ProgramData\Internet Manager\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1616](2015-02-10 20:32:47) 000000006ff00000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [2496] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2011-03-14 15:27:28) 0000000000400000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [2600] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2011-03-14 15:27:28) 0000000000400000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D8168CE1-EFD8-45DE-9F7D-6A137F0F5318}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3236] (Microsoft Malware Protection Engine/Microsoft Corporation)(2015-02-13 12:21:48) 000007fef2480000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D8168CE1-EFD8-45DE-9F7D-6A137F0F5318}\offreg.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3236] (Offline registry DLL/Microsoft Corporation)(2015-02-14 16:44:19) 000007fef7910000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 95 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 34 ---- EOF - GMER 2.1 ----