GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-02 18:13:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HITACHI_HTS547550A9E384 rev.JE3ZD60D 465,76GB Running: gmer.exe; Driver: C:\Users\PIEJ\AppData\Local\Temp\aftcyaog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f41465 2 bytes [F4, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2920] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f414bb 2 bytes [F4, 76] .text ... * 2 .text C:\Windows\SysWOW64\RunDll32.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f41465 2 bytes [F4, 76] .text C:\Windows\SysWOW64\RunDll32.exe[2736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f414bb 2 bytes [F4, 76] .text ... * 2 .text C:\Windows\SysWOW64\msiexec.exe[3248] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077b1fc30 5 bytes JMP 000000007ef938b1 .text C:\Windows\SysWOW64\msiexec.exe[3248] C:\Windows\syswow64\ws2_32.dll!GetAddrInfoW 0000000075da4889 5 bytes JMP 0000000100221370 .text C:\Program Files (x86)\WinRAR\WinRAR.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f41465 2 bytes [F4, 76] .text C:\Program Files (x86)\WinRAR\WinRAR.exe[4072] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f414bb 2 bytes [F4, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_initterm] [1781c00014a9c] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!free] [661dd000661cd] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!malloc] [6617e000661ef] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_unlock] [6621900066203] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!__dllonexit] [6624b0006622d] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_XcptFilter] [6627700066261] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!??3@YAXPEAX@Z] [662a00006628f] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_amsg_exit] [662c7000662b4] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!??_U@YAPEAX_K@Z] [662ed000662db] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!??_V@YAXPEAX@Z] [6631500066301] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_purecall] [6633f00066328] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!wcschr] [663700006635a] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!memset] [6639600066380] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!memcpy] [663c6000663af] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_vsnwprintf] [663ff000663e1] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_lock] [6642d00066415] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_onexit] [6645d00066444] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[msvcrt.dll!??2@YAPEAX_K@Z] [6647d0006646d] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlLookupFunctionEntry] [664c5000664b1] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlCaptureContext] [664ec000664d5] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlSubAuthoritySid] [6651f0006650a] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlInitializeSid] [6655400066538] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[ntdll.dll!EtwTraceMessage] [6657d0006656b] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlInitUnicodeString] [665a800066592] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlMapGenericMask] [665cf000665b8] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlVirtualUnwind] [665f2000665df] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!DisableThreadLibraryCalls] [6663b00066629] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!CloseHandle] [661b70006664d] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetLastError] [600050004] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!LocalFree] [8000700020001] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!FreeLibrary] [c000b000a0009] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetProcAddress] [10000f000e000d] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!LoadLibraryExA] [14001300120011] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!DelayLoadFailureHook] [18001700160015] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!Sleep] [1c001b001a0019] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!QueryPerformanceCounter] [20001f001e001d] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetTickCount] [24002300220021] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetCurrentThreadId] [28002700260025] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetCurrentProcessId] [2c002b002a0029] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [30002f002e002d] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!TerminateProcess] [34003300320031] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetCurrentProcess] [38003700360035] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!UnhandledExceptionFilter] [3003b003a0039] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [33455345434c5153] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!CompareStringW] [6e45006c6c642e30] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!DeleteFileW] [726f7453656c6261] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!CreateFileW] [63616279616c5065] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!ExpandEnvironmentStringsW] [656c62616e45006b] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!OpenProcess] [61725465726f7453] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!lstrcmpiW] [696e4900676e6963] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetComputerNameW] [696c616972655374] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!lstrlenW] [53006e6f6974617a] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!ReadFile] [7453646e65707375] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetFileSize] [617265704f65726f] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetModuleHandleW] [6c6c44006e6f6974] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!SystemTimeToFileTime] [616f6c6e556e6143] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!FileTimeToSystemTime] [6c6c4400776f4e64] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!TzSpecificLocalTimeToSystemTime] [7373616c43746547] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!SystemTimeToTzSpecificLocalTime] [45007463656a624f] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!WaitForSingleObject] [73706f7250657361] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!ResetEvent] [644165436c715300] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!CreateEventW] [726150636e795364] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!CompareStringOrdinal] [6c71530072656e74] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!RegOpenKeyExW] [6863617474416543] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!RegCloseKey] [72546d6f74737543] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!InitOnceExecuteOnce] [6144676e696b6361] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!RegQueryInfoKeyW] [65436c7153006174] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!RegEnumValueW] [6e79536e69676542] IAT C:\Windows\system32\DllHost.exe[3648] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!LocalAlloc] [6e6f697373655363] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1536:2820] 000007fef609ed7c Thread C:\Windows\System32\svchost.exe [1536:2828] 000007fef7529688 Thread C:\Windows\SysWOW64\msiexec.exe [3248:3664] 000000007ef9392e