GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-02 12:35:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000064 rev. 0,00MB Running: 4jz6r97k.exe; Driver: C:\Users\Kolbe\AppData\Local\Temp\kwddykod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff8800ff4cd24 12 bytes {MOV RAX, 0xfffffa8004a3a2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e91401 2 bytes JMP 000000010679a47b .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e91419 2 bytes JMP 000000010679a493 .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e91431 2 bytes JMP 000000010679a4ab .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e9144a 2 bytes JMP 0000000075f5fcc4 .text ... * 9 .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e914dd 2 bytes JMP 000000010679a557 .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e914f5 2 bytes JMP 000000010679a56f .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e9150d 2 bytes JMP 000000010679a587 .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e91525 2 bytes JMP 000000010679a59f .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e9153d 2 bytes JMP 000000010679a5b7 .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e91555 2 bytes JMP 000000010679a5cf .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e9156d 2 bytes JMP 000000010679a5e7 .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e91585 2 bytes JMP 000000010679a5ff .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e9159d 2 bytes JMP 000000010679a617 .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e915b5 2 bytes JMP 000000010679a62f .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e915cd 2 bytes JMP 000000015c37ce47 .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e916b2 2 bytes JMP 000000010679a72c .text C:\Program Files (x86)\netcut\services\AIPS.exe[1100] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e916bd 2 bytes JMP 000000010679a737 .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e91401 2 bytes JMP 000000010679a47b .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e91419 2 bytes JMP 000000010679a493 .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e91431 2 bytes JMP 000000010679a4ab .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e9144a 2 bytes JMP 0000000075f5fcc4 .text ... * 9 .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e914dd 2 bytes JMP 000000010679a557 .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e914f5 2 bytes JMP 000000010679a56f .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e9150d 2 bytes JMP 000000010679a587 .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e91525 2 bytes JMP 000000010679a59f .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e9153d 2 bytes JMP 000000010679a5b7 .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e91555 2 bytes JMP 000000010679a5cf .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e9156d 2 bytes JMP 000000010679a5e7 .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e91585 2 bytes JMP 000000010679a5ff .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e9159d 2 bytes JMP 000000010679a617 .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e915b5 2 bytes JMP 000000010679a62f .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e915cd 2 bytes JMP 000000015c37ce47 .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e916b2 2 bytes JMP 000000010679a72c .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[1144] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e916bd 2 bytes JMP 000000010679a737 .text C:\Program Files\Hola\app\hola.exe[2144] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077669020 13 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files\Hola\app\hola.exe[2144] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter + 14 000000007766902e 1 byte INT3 .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e91401 2 bytes JMP 000000010679a47b .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e91419 2 bytes JMP 000000010679a493 .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e91431 2 bytes JMP 000000010679a4ab .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e9144a 2 bytes JMP 0000000075f5fcc4 .text ... * 9 .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e914dd 2 bytes JMP 000000010679a557 .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e914f5 2 bytes JMP 000000010679a56f .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e9150d 2 bytes JMP 000000010679a587 .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e91525 2 bytes JMP 000000010679a59f .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e9153d 2 bytes JMP 000000010679a5b7 .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e91555 2 bytes JMP 000000010679a5cf .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e9156d 2 bytes JMP 000000010679a5e7 .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e91585 2 bytes JMP 000000010679a5ff .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e9159d 2 bytes JMP 000000010679a617 .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e915b5 2 bytes JMP 000000010679a62f .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e915cd 2 bytes JMP 000000015c37ce47 .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e916b2 2 bytes JMP 000000010679a72c .text C:\Users\Kolbe\AppData\Local\FluxSoftware\Flux\flux.exe[2240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e916bd 2 bytes JMP 000000010679a737 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e91401 2 bytes JMP 000000010679a47b .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e91419 2 bytes JMP 000000010679a493 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e91431 2 bytes JMP 000000010679a4ab .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e9144a 2 bytes JMP 0000000075f5fcc4 .text ... * 9 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e914dd 2 bytes JMP 000000010679a557 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e914f5 2 bytes JMP 000000010679a56f .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e9150d 2 bytes JMP 000000010679a587 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e91525 2 bytes JMP 000000010679a59f .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e9153d 2 bytes JMP 000000010679a5b7 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e91555 2 bytes JMP 000000010679a5cf .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e9156d 2 bytes JMP 000000010679a5e7 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e91585 2 bytes JMP 000000010679a5ff .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e9159d 2 bytes JMP 000000010679a617 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e915b5 2 bytes JMP 000000010679a62f .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e915cd 2 bytes JMP 000000015c37ce47 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e916b2 2 bytes JMP 000000010679a72c .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[2424] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e916bd 2 bytes JMP 000000010679a737 .text C:\Program Files\Hola\app\hola_svc.exe[2624] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077669020 13 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files\Hola\app\hola_svc.exe[2624] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter + 14 000000007766902e 1 byte INT3 .text C:\Program Files\Hola\app\hola_updater.exe[2664] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077669020 13 bytes {JMP QWORD [RIP+0x0]} .text C:\Program Files\Hola\app\hola_updater.exe[2664] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter + 14 000000007766902e 1 byte INT3 .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e91401 2 bytes JMP 000000010679a47b .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e91419 2 bytes JMP 000000010679a493 .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e91431 2 bytes JMP 000000010679a4ab .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e9144a 2 bytes JMP 0000000075f5fcc4 .text ... * 9 .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e914dd 2 bytes JMP 000000010679a557 .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e914f5 2 bytes JMP 000000010679a56f .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e9150d 2 bytes JMP 000000010679a587 .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e91525 2 bytes JMP 000000010679a59f .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e9153d 2 bytes JMP 000000010679a5b7 .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e91555 2 bytes JMP 000000010679a5cf .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e9156d 2 bytes JMP 000000010679a5e7 .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e91585 2 bytes JMP 000000010679a5ff .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e9159d 2 bytes JMP 000000010679a617 .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e915b5 2 bytes JMP 000000010679a62f .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e915cd 2 bytes JMP 000000015c37ce47 .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e916b2 2 bytes JMP 000000010679a72c .text C:\Program Files (x86)\360\Total Security\safemon\chrome\360webshield.exe[4920] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e916bd 2 bytes JMP 000000010679a737 .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075e91401 2 bytes JMP 000000010679a47b .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075e91419 2 bytes JMP 000000010679a493 .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075e91431 2 bytes JMP 000000010679a4ab .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075e9144a 2 bytes JMP 0000000075f5fcc4 .text ... * 9 .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075e914dd 2 bytes JMP 000000010679a557 .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075e914f5 2 bytes JMP 000000010679a56f .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075e9150d 2 bytes JMP 000000010679a587 .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075e91525 2 bytes JMP 000000010679a59f .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075e9153d 2 bytes JMP 000000010679a5b7 .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075e91555 2 bytes JMP 000000010679a5cf .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075e9156d 2 bytes JMP 000000010679a5e7 .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075e91585 2 bytes JMP 000000010679a5ff .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075e9159d 2 bytes JMP 000000010679a617 .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075e915b5 2 bytes JMP 000000010679a62f .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075e915cd 2 bytes JMP 000000015c37ce47 .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075e916b2 2 bytes JMP 000000010679a72c .text C:\Users\Kolbe\Downloads\4jz6r97k.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075e916bd 2 bytes JMP 000000010679a737 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IofCallDriver] [fffff880010ca710] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010adf1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010adcc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010ae69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010aea98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010ae8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff8800431bcac] \SystemRoot\system32\DRIVERS\360Box64.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80042372c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80042372c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80042372c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80042372c0 Device \Driver\af0am5kj \Device\Scsi\af0am5kj1 fffffa8004b2c2c0 Device \FileSystem\Ntfs \Ntfs fffffa800423f2c0 Device \Driver\nvstor \Device\00000064 fffffa80042392c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004aae2c0 Device \Driver\nvstor \Device\RaidPort0 fffffa80042392c0 Device \Driver\cdrom \Device\CdRom0 fffffa800459b2c0 Device \Driver\nvstor \Device\RaidPort1 fffffa80042392c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004aa42c0 Device \Driver\nvstor \Device\00000066 fffffa80042392c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004aae2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80045e12c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{4ACB4215-3E64-408A-A62D-BCD46EE2C372} fffffa80045e12c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80042372c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004aa42c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80042372c0 Device \Driver\nvstor \Device\ScsiPort2 fffffa80042392c0 Device \Driver\nvstor \Device\ScsiPort3 fffffa80042392c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80042372c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2C58A7E5-8FD6-4DBE-B69E-2093C0DABE7A} fffffa80045e12c0 Device \Driver\af0am5kj \Device\ScsiPort5 fffffa8004b2c2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80042392c0]<< sptd.sys storport.sys hal.dll nvstor.sys fffffa80042392c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004522060] fffffa8004522060 Trace 3 CLASSPNP.SYS[fffff88001b7143f] -> nt!IofCallDriver -> [0xfffffa800427d4f0] fffffa800427d4f0 Trace 5 ACPI.sys[fffff88000faf7a1] -> nt!IofCallDriver -> \Device\00000064[0xfffffa800427d9c0] fffffa800427d9c0 Trace \Driver\nvstor[0xfffffa8004278a40] -> IRP_MJ_CREATE -> 0xfffffa80042392c0 fffffa80042392c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\af0am5kj.SYS fffff8800ff7a000-fffff8800ffc6000 (311296 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 27196 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0x11 0xFE 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x90 0xBF 0x27 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8D 0xA2 0xBB 0xB1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4ACB4215-3E64-408A-A62D-BCD46EE2C372}@LeaseObtainedTime 1438511046 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4ACB4215-3E64-408A-A62D-BCD46EE2C372}@T1 1438640646 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4ACB4215-3E64-408A-A62D-BCD46EE2C372}@T2 1438737846 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4ACB4215-3E64-408A-A62D-BCD46EE2C372}@LeaseTerminatesTime 1438770246 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7cc4e11??????????? Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0x11 0xFE 0x4D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x90 0xBF 0x27 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8D 0xA2 0xBB 0xB1 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----