GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-22 18:15:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST500DM002-1BD142 rev.KC45 465,76GB Running: gmer.exe; Driver: C:\Users\REAL\AppData\Local\Temp\aftcqaob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Steam\Steam.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b51465 2 bytes [B5, 74] .text C:\Program Files (x86)\Steam\Steam.exe[1580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b514bb 2 bytes [B5, 74] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b51465 2 bytes [B5, 74] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3144] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b514bb 2 bytes [B5, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b51465 2 bytes [B5, 74] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[3156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b514bb 2 bytes [B5, 74] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f9a1 7 bytes {MOV EDX, 0x8e42e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 0000000076f9fa1d 7 bytes {MOV EDX, 0x8e41a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 0000000076f9fb35 7 bytes {MOV EDX, 0x8e4168; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbe5 7 bytes {MOV EDX, 0x8e4328; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc15 7 bytes {MOV EDX, 0x8e4268; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc2d 7 bytes {MOV EDX, 0x8e4128; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc45 7 bytes {MOV EDX, 0x8e43e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc75 7 bytes {MOV EDX, 0x8e4428; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fcf5 7 bytes {MOV EDX, 0x8e43a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fd0d 7 bytes {MOV EDX, 0x8e4368; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd59 7 bytes {MOV EDX, 0x8e4068; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe51 7 bytes {MOV EDX, 0x8e40a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa00a9 7 bytes {MOV EDX, 0x8e4028; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000076fa100d 7 bytes {MOV EDX, 0x8e41e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10b5 7 bytes {MOV EDX, 0x8e42a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa112d 7 bytes {MOV EDX, 0x8e4228; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1331 7 bytes {MOV EDX, 0x8e40e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b51465 2 bytes [B5, 74] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b514bb 2 bytes [B5, 74] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076f9f9a1 7 bytes {MOV EDX, 0x8f52e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 0000000076f9fa1d 7 bytes {MOV EDX, 0x8f51a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 0000000076f9fb35 7 bytes {MOV EDX, 0x8f5168; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076f9fbe5 7 bytes {MOV EDX, 0x8f5328; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076f9fc15 7 bytes {MOV EDX, 0x8f5268; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076f9fc2d 7 bytes {MOV EDX, 0x8f5128; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076f9fc45 7 bytes {MOV EDX, 0x8f53e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076f9fc75 7 bytes {MOV EDX, 0x8f5428; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076f9fcf5 7 bytes {MOV EDX, 0x8f53a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076f9fd0d 7 bytes {MOV EDX, 0x8f5368; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076f9fd59 7 bytes {MOV EDX, 0x8f5068; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076f9fe51 7 bytes {MOV EDX, 0x8f50a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076fa00a9 7 bytes {MOV EDX, 0x8f5028; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000076fa100d 7 bytes {MOV EDX, 0x8f51e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076fa10b5 7 bytes {MOV EDX, 0x8f52a8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076fa112d 7 bytes {MOV EDX, 0x8f5228; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076fa1331 7 bytes {MOV EDX, 0x8f50e8; JMP RDX} .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074b51465 2 bytes [B5, 74] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074b514bb 2 bytes [B5, 74] .text ... * 2 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----