GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-04-04 00:43:38 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 465,76GB Running: 9gkvy7jw.exe; Driver: C:\Users\Asus\AppData\Local\Temp\kwloyuow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1700] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000071d41a22 2 bytes [D4, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1700] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000071d41ad0 2 bytes [D4, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1700] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000071d41b08 2 bytes [D4, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1700] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000071d41bba 2 bytes [D4, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1700] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000071d41bda 2 bytes [D4, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077271465 2 bytes [27, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[1700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772714bb 2 bytes [27, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077271465 2 bytes [27, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772714bb 2 bytes [27, 77] .text ... * 2 .text C:\Windows\AsScrPro.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077271465 2 bytes [27, 77] .text C:\Windows\AsScrPro.exe[3404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772714bb 2 bytes [27, 77] .text ... * 2 .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077271465 2 bytes [27, 77] .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4868] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772714bb 2 bytes [27, 77] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4868] entry point in ".rdata" section 00000000740871e6 .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772bf9a1 7 bytes {MOV EDX, 0xd40628; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772bfbe5 7 bytes {MOV EDX, 0xd40668; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772bfc15 7 bytes {MOV EDX, 0xd405a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772bfc2d 7 bytes {MOV EDX, 0xd40528; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772bfc45 7 bytes {MOV EDX, 0xd40728; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772bfc75 7 bytes {MOV EDX, 0xd40768; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772bfcf5 7 bytes {MOV EDX, 0xd406e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772bfd0d 7 bytes {MOV EDX, 0xd406a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772bfd59 7 bytes {MOV EDX, 0xd40468; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772bfe51 7 bytes {MOV EDX, 0xd404a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772c00a9 7 bytes {MOV EDX, 0xd40428; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772c10b5 7 bytes {MOV EDX, 0xd405e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772c112d 7 bytes {MOV EDX, 0xd40568; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772c1331 7 bytes {MOV EDX, 0xd404e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077271465 2 bytes [27, 77] .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772714bb 2 bytes [27, 77] .text ... * 2 .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772bf9a1 7 bytes {MOV EDX, 0x4be628; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772bfbe5 7 bytes {MOV EDX, 0x4be668; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772bfc15 7 bytes {MOV EDX, 0x4be5a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772bfc2d 7 bytes {MOV EDX, 0x4be528; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772bfc45 7 bytes {MOV EDX, 0x4be728; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772bfc75 7 bytes {MOV EDX, 0x4be768; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772bfcf5 7 bytes {MOV EDX, 0x4be6e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772bfd0d 7 bytes {MOV EDX, 0x4be6a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772bfd59 7 bytes {MOV EDX, 0x4be468; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772bfe51 7 bytes {MOV EDX, 0x4be4a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772c00a9 7 bytes {MOV EDX, 0x4be428; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772c10b5 7 bytes {MOV EDX, 0x4be5e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772c112d 7 bytes {MOV EDX, 0x4be568; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772c1331 7 bytes {MOV EDX, 0x4be4e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077271465 2 bytes [27, 77] .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772714bb 2 bytes [27, 77] .text ... * 2 .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772bf9a1 7 bytes {MOV EDX, 0xd8ca28; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772bfbe5 7 bytes {MOV EDX, 0xd8ca68; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772bfc15 7 bytes {MOV EDX, 0xd8c9a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772bfc2d 7 bytes {MOV EDX, 0xd8c928; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772bfc45 7 bytes {MOV EDX, 0xd8cb28; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772bfc75 7 bytes {MOV EDX, 0xd8cb68; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772bfcf5 7 bytes {MOV EDX, 0xd8cae8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772bfd0d 7 bytes {MOV EDX, 0xd8caa8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772bfd59 7 bytes {MOV EDX, 0xd8c868; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772bfe51 7 bytes {MOV EDX, 0xd8c8a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772c00a9 7 bytes {MOV EDX, 0xd8c828; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772c10b5 7 bytes {MOV EDX, 0xd8c9e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772c112d 7 bytes {MOV EDX, 0xd8c968; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772c1331 7 bytes {MOV EDX, 0xd8c8e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077271465 2 bytes [27, 77] .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772714bb 2 bytes [27, 77] .text ... * 2 .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772bf9a1 7 bytes {MOV EDX, 0xf4b628; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772bfbe5 7 bytes {MOV EDX, 0xf4b668; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772bfc15 7 bytes {MOV EDX, 0xf4b5a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772bfc2d 7 bytes {MOV EDX, 0xf4b528; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772bfc45 7 bytes {MOV EDX, 0xf4b728; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772bfc75 7 bytes {MOV EDX, 0xf4b768; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772bfcf5 7 bytes {MOV EDX, 0xf4b6e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772bfd0d 7 bytes {MOV EDX, 0xf4b6a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772bfd59 7 bytes {MOV EDX, 0xf4b468; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772bfe51 7 bytes {MOV EDX, 0xf4b4a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772c00a9 7 bytes {MOV EDX, 0xf4b428; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772c10b5 7 bytes {MOV EDX, 0xf4b5e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772c112d 7 bytes {MOV EDX, 0xf4b568; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772c1331 7 bytes {MOV EDX, 0xf4b4e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077271465 2 bytes [27, 77] .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[3024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772714bb 2 bytes [27, 77] .text ... * 2 .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000772bf9a1 7 bytes {MOV EDX, 0xa65a28; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000772bfbe5 7 bytes {MOV EDX, 0xa65a68; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000772bfc15 7 bytes {MOV EDX, 0xa659a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000772bfc2d 7 bytes {MOV EDX, 0xa65928; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000772bfc45 7 bytes {MOV EDX, 0xa65b28; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000772bfc75 7 bytes {MOV EDX, 0xa65b68; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000772bfcf5 7 bytes {MOV EDX, 0xa65ae8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000772bfd0d 7 bytes {MOV EDX, 0xa65aa8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000772bfd59 7 bytes {MOV EDX, 0xa65868; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000772bfe51 7 bytes {MOV EDX, 0xa658a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000772c00a9 7 bytes {MOV EDX, 0xa65828; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000772c10b5 7 bytes {MOV EDX, 0xa659e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000772c112d 7 bytes {MOV EDX, 0xa65968; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000772c1331 7 bytes {MOV EDX, 0xa658e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077271465 2 bytes [27, 77] .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[5152] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772714bb 2 bytes [27, 77] .text ... * 2 ---- Processes - GMER 2.1 ---- Library Q:\140066.plk\Office14\WINWORDC.EXE (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 000000002f420000 Library Q:\140066.plk\Office14\wwlibc.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 0000000065430000 Library Q:\140066.plk\Office14\gfx.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 0000000069f90000 Library Q:\140066.plk\Office14\oart.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 0000000064090000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSO.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 0000000062eb0000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 0000000069b80000 Library Q:\140066.plk\Office14\1045\WWINTLC.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 000000006a270000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\1045\MSOINTL.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 0000000069850000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSPTLS.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 0000000069790000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\RICHED20.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 0000000069640000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\MSORES.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 000000005e980000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\OFFICE14\USP10.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 0000000069530000 Library Q:\140066.plk\Office14\msproof7.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 000000006a410000 Library Q:\140066.plk\VFS\CSIDL_PROGRAM_FILES_COMMON\Microsoft Shared\PROOF\MSLID.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 00000000507c0000 Library Q:\140066.plk\OFFICE14\PROOF\MSSP7PL.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 000000005aa10000 Library Q:\140066.plk\OFFICE14\PROOF\MSSP7EN.DLL (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 000000005a980000 Library Q:\140066.plk\Office14\mscss7en.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 0000000069140000 Library Q:\140066.plk\Office14\css7Data0009.dll (*** suspicious ***) @ Q:\140066.plk\Office14\WINWORDC.EXE [5864] 000000005a900000 Library Q:\140066.plk\Office14\OffSpon.EXE (*** suspicious ***) @ Q:\140066.plk\Office14\OffSpon.EXE [844] 000000002d230000 Library Q:\140066.plk\Office14\msadctls.dll (*** suspicious ***) @ Q:\140066.plk\Office14\OffSpon.EXE [844] 0000000059af0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\7ce9d3772290 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\7ce9d3772290@2021a551367c 0xC2 0x5A 0xBD 0x63 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\7ce9d3772290@b80305309b7e 0x01 0xB0 0xBF 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\7ce9d3772290@6c23b94fd8bb 0xB4 0xEF 0x04 0x77 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\bc773702cb9a Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\7ce9d3772290 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\7ce9d3772290@2021a551367c 0xC2 0x5A 0xBD 0x63 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\7ce9d3772290@b80305309b7e 0x01 0xB0 0xBF 0x1A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\7ce9d3772290@6c23b94fd8bb 0xB4 0xEF 0x04 0x77 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\bc773702cb9a (not active ControlSet) ---- EOF - GMER 2.1 ----