GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-19 16:22:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 596,17GB Running: rmq2tm48.exe; Driver: C:\Users\Sumik\AppData\Local\Temp\kwddykob.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000758a1401 2 bytes JMP 758eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000758a1419 2 bytes JMP 758eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000758a1431 2 bytes JMP 75969149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000758a144a 2 bytes CALL 758c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758a14dd 2 bytes JMP 75968a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758a14f5 2 bytes JMP 75968c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000758a150d 2 bytes JMP 75968938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000758a1525 2 bytes JMP 75968d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000758a153d 2 bytes JMP 758dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000758a1555 2 bytes JMP 758e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000758a156d 2 bytes JMP 75969201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000758a1585 2 bytes JMP 75968d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000758a159d 2 bytes JMP 759688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758a15b5 2 bytes JMP 758dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758a15cd 2 bytes JMP 758eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758a16b2 2 bytes JMP 759690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe[2236] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758a16bd 2 bytes JMP 75968891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000758a1401 2 bytes JMP 758eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000758a1419 2 bytes JMP 758eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000758a1431 2 bytes JMP 75969149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000758a144a 2 bytes CALL 758c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758a14dd 2 bytes JMP 75968a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758a14f5 2 bytes JMP 75968c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000758a150d 2 bytes JMP 75968938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000758a1525 2 bytes JMP 75968d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000758a153d 2 bytes JMP 758dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000758a1555 2 bytes JMP 758e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000758a156d 2 bytes JMP 75969201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000758a1585 2 bytes JMP 75968d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000758a159d 2 bytes JMP 759688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758a15b5 2 bytes JMP 758dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758a15cd 2 bytes JMP 758eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758a16b2 2 bytes JMP 759690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758a16bd 2 bytes JMP 75968891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000758a1401 2 bytes JMP 758eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000758a1419 2 bytes JMP 758eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000758a1431 2 bytes JMP 75969149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000758a144a 2 bytes CALL 758c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758a14dd 2 bytes JMP 75968a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758a14f5 2 bytes JMP 75968c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000758a150d 2 bytes JMP 75968938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000758a1525 2 bytes JMP 75968d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000758a153d 2 bytes JMP 758dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000758a1555 2 bytes JMP 758e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000758a156d 2 bytes JMP 75969201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000758a1585 2 bytes JMP 75968d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000758a159d 2 bytes JMP 759688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758a15b5 2 bytes JMP 758dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758a15cd 2 bytes JMP 758eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758a16b2 2 bytes JMP 759690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[2464] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758a16bd 2 bytes JMP 75968891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000758a1401 2 bytes JMP 758eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000758a1419 2 bytes JMP 758eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000758a1431 2 bytes JMP 75969149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000758a144a 2 bytes CALL 758c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758a14dd 2 bytes JMP 75968a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758a14f5 2 bytes JMP 75968c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000758a150d 2 bytes JMP 75968938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000758a1525 2 bytes JMP 75968d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000758a153d 2 bytes JMP 758dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000758a1555 2 bytes JMP 758e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000758a156d 2 bytes JMP 75969201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000758a1585 2 bytes JMP 75968d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000758a159d 2 bytes JMP 759688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758a15b5 2 bytes JMP 758dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758a15cd 2 bytes JMP 758eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758a16b2 2 bytes JMP 759690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758a16bd 2 bytes JMP 75968891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000758a1401 2 bytes JMP 758eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000758a1419 2 bytes JMP 758eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000758a1431 2 bytes JMP 75969149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000758a144a 2 bytes CALL 758c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758a14dd 2 bytes JMP 75968a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758a14f5 2 bytes JMP 75968c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000758a150d 2 bytes JMP 75968938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000758a1525 2 bytes JMP 75968d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000758a153d 2 bytes JMP 758dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000758a1555 2 bytes JMP 758e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000758a156d 2 bytes JMP 75969201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000758a1585 2 bytes JMP 75968d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000758a159d 2 bytes JMP 759688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758a15b5 2 bytes JMP 758dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758a15cd 2 bytes JMP 758eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758a16b2 2 bytes JMP 759690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\EaseUS\Todo Backup\bin\TodoBackupService.exe[3636] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758a16bd 2 bytes JMP 75968891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c92bdc 5 bytes JMP 000000006761c3d0 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000758a1401 2 bytes JMP 758eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000758a1419 2 bytes JMP 758eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000758a1431 2 bytes JMP 75969149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000758a144a 2 bytes CALL 758c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758a14dd 2 bytes JMP 75968a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758a14f5 2 bytes JMP 75968c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000758a150d 2 bytes JMP 75968938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000758a1525 2 bytes JMP 75968d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000758a153d 2 bytes JMP 758dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000758a1555 2 bytes JMP 758e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000758a156d 2 bytes JMP 75969201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000758a1585 2 bytes JMP 75968d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000758a159d 2 bytes JMP 759688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758a15b5 2 bytes JMP 758dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758a15cd 2 bytes JMP 758eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758a16b2 2 bytes JMP 759690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[4592] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758a16bd 2 bytes JMP 75968891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000758a1401 2 bytes JMP 758eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000758a1419 2 bytes JMP 758eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000758a1431 2 bytes JMP 75969149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000758a144a 2 bytes CALL 758c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758a14dd 2 bytes JMP 75968a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758a14f5 2 bytes JMP 75968c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000758a150d 2 bytes JMP 75968938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000758a1525 2 bytes JMP 75968d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000758a153d 2 bytes JMP 758dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000758a1555 2 bytes JMP 758e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000758a156d 2 bytes JMP 75969201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000758a1585 2 bytes JMP 75968d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000758a159d 2 bytes JMP 759688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758a15b5 2 bytes JMP 758dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758a15cd 2 bytes JMP 758eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758a16b2 2 bytes JMP 759690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[5872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758a16bd 2 bytes JMP 75968891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000758a1401 2 bytes JMP 758eb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000758a1419 2 bytes JMP 758eb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000758a1431 2 bytes JMP 75969149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000758a144a 2 bytes CALL 758c4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758a14dd 2 bytes JMP 75968a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758a14f5 2 bytes JMP 75968c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000758a150d 2 bytes JMP 75968938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000758a1525 2 bytes JMP 75968d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000758a153d 2 bytes JMP 758dfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000758a1555 2 bytes JMP 758e6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000758a156d 2 bytes JMP 75969201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000758a1585 2 bytes JMP 75968d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000758a159d 2 bytes JMP 759688fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758a15b5 2 bytes JMP 758dfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758a15cd 2 bytes JMP 758eb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758a16b2 2 bytes JMP 759690c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\Framework\Common\avguix.exe[6944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758a16bd 2 bytes JMP 75968891 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\winlogon.exe[652] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefa662950] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[652] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefa662830] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[652] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefa662950] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\winlogon.exe[652] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefa662830] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1260] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress] [7fefa662950] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1260] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile] [7fefa662830] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1260] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fefa662950] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\svchost.exe[1260] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile] [7fefa662830] c:\windows\system32\uxtuneup.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msiexec.exe[ADVAPI32.dll!RegCreateKeyExW] [7fef54ab4f4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msiexec.exe[ADVAPI32.dll!RegDeleteValueW] [7fef54abbc8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msiexec.exe[ADVAPI32.dll!RegOpenKeyExW] [7fef54ab6d0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msiexec.exe[ADVAPI32.dll!RegSetValueExW] [7fef54abaa8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msiexec.exe[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!CopyFileW] [7fef54aa184] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!DeleteFileW] [7fef54aa5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!RegOpenKeyExW] [7fef54ab6d0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!RegCreateKeyExW] [7fef54ab4f4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!RegSetValueExW] [7fef54abaa8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!CopyFileW] [7fef54aa184] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!DeleteFileW] [7fef54aa5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!SetFileSecurityW] [7fef54abcb0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegCreateKeyExW] [7fef54ab4f4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegSetValueExA] [7fef54aba0c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegOpenKeyExW] [7fef54ab6d0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegDeleteValueW] [7fef54abbc8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegDeleteKeyW] [7fef54ad12c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[ADVAPI32.dll!RegSetValueExW] [7fef54abaa8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[KERNEL32.dll!MoveFileExW] [7fef54aa804] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[KERNEL32.dll!SetFileAttributesW] [7fef54aabe0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[KERNEL32.dll!MoveFileW] [7fef54aa6e0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[KERNEL32.dll!DeleteFileW] [7fef54aa5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\msi.dll[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!CopyFileW] [7fef54aa184] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!MoveFileExW] [7fef54aa804] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!MoveFileW] [7fef54aa6e0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!DeleteFileW] [7fef54aa5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!SetFileAttributesW] [7fef54aabe0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!SetFileAttributesA] [7fef54aab7c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateFileA] [7fef54aa2d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!DeleteFileW] [7fef54aa5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!MoveFileExW] [7fef54aa804] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!SetFileAttributesW] [7fef54aabe0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!CopyFileW] [7fef54aa184] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\WINSPOOL.DRV[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\MPR.dll[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\sfc_os.DLL[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\USERENV.dll[KERNEL32.dll!PrivCopyFileExW] [7fef54aab04] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\USERENV.dll[KERNEL32.dll!MoveFileExW] [7fef54aa804] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!OpenFile] [7fef54aa890] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\MSCTF.dll[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\COMCTL32.DLL[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\COMCTL32.DLL[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegDeleteValueW] [7fef54abbc8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegCreateKeyExW] [7fef54ab4f4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegSetValueExW] [7fef54abaa8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\CLBCatQ.DLL[ADVAPI32.dll!RegOpenKeyExW] [7fef54ab6d0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!MoveFileExW] [7fef54aa804] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!SetFileAttributesW] [7fef54aabe0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!MoveFileW] [7fef54aa6e0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!DeleteFileW] [7fef54aa5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!_lwrite] [7fef54aaa1c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateFileA] [7fef54aa2d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!DeleteFileW] [7fef54aa5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!CreateFileW] [7fef54aa42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!RegCreateKeyExA] [7fef54ab3dc] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!GetProcAddress] [7fefcb44230] C:\Windows\system32\apphelp.dll IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!MoveFileExW] [7fef54aa804] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Windows\system32\msiexec.exe[6544] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!RegSetValueExA] [7fef54aba0c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL ---- Registry - GMER 2.2 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{007C9DDC-B3D9-2251-A05D-97368BA619DD} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{007C9DDC-B3D9-2251-A05D-97368BA619DD}@janjphedjnkfepgcpbln 0x62 0x61 0x6C 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{007C9DDC-B3D9-2251-A05D-97368BA619DD}@janjphedjnkfepgcpbhn 0x62 0x61 0x6C 0x65 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----