GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-19 19:23:47 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1CH162 rev.CC47 931,51GB Running: gmer.exe; Driver: C:\Users\oo\AppData\Local\Temp\uglcraoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076461401 2 bytes JMP 7550eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076461419 2 bytes JMP 7551b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076461431 2 bytes JMP 75598609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007646144a 2 bytes CALL 754f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764614dd 2 bytes JMP 75597efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764614f5 2 bytes JMP 755980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007646150d 2 bytes JMP 75597df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076461525 2 bytes JMP 755981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007646153d 2 bytes JMP 7550f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076461555 2 bytes JMP 7551b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007646156d 2 bytes JMP 755986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076461585 2 bytes JMP 75598222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007646159d 2 bytes JMP 75597db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764615b5 2 bytes JMP 7550f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764615cd 2 bytes JMP 7551b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764616b2 2 bytes JMP 75598584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\deepscan\zhudongfangyu.exe[1228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764616bd 2 bytes JMP 75597d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076461401 2 bytes JMP 7550eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076461419 2 bytes JMP 7551b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076461431 2 bytes JMP 75598609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007646144a 2 bytes CALL 754f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764614dd 2 bytes JMP 75597efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764614f5 2 bytes JMP 755980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007646150d 2 bytes JMP 75597df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076461525 2 bytes JMP 755981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007646153d 2 bytes JMP 7550f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076461555 2 bytes JMP 7551b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007646156d 2 bytes JMP 755986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076461585 2 bytes JMP 75598222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007646159d 2 bytes JMP 75597db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764615b5 2 bytes JMP 7550f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764615cd 2 bytes JMP 7551b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764616b2 2 bytes JMP 75598584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe[1572] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764616bd 2 bytes JMP 75597d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754fd03c 5 bytes [33, C0, C2, 04, 00] .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\USER32.dll!GetScrollInfo 0000000076a8452a 7 bytes JMP 00000001099748bf .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\USER32.dll!SetScrollInfo 0000000076a845e7 7 bytes JMP 0000000109974910 .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\USER32.dll!ShowScrollBar 0000000076a8467a 5 bytes JMP 0000000109974961 .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\USER32.dll!GetScrollPos 0000000076a84741 5 bytes JMP 00000001099748da .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\USER32.dll!SetScrollPos 0000000076a888cd 5 bytes JMP 000000010997492b .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\USER32.dll!GetScrollRange 0000000076a88fac 5 bytes JMP 00000001099748f5 .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\USER32.dll!EnableScrollBar 0000000076a8b3b7 7 bytes JMP 00000001099748a4 .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\USER32.dll!SetScrollRange 0000000076aa0207 5 bytes JMP 0000000109974946 .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076461401 2 bytes JMP 7550eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076461419 2 bytes JMP 7551b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076461431 2 bytes JMP 75598609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007646144a 2 bytes CALL 754f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764614dd 2 bytes JMP 75597efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764614f5 2 bytes JMP 755980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007646150d 2 bytes JMP 75597df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076461525 2 bytes JMP 755981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007646153d 2 bytes JMP 7550f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076461555 2 bytes JMP 7551b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007646156d 2 bytes JMP 755986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076461585 2 bytes JMP 75598222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007646159d 2 bytes JMP 75597db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764615b5 2 bytes JMP 7550f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764615cd 2 bytes JMP 7551b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764616b2 2 bytes JMP 75598584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[1760] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764616bd 2 bytes JMP 75597d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076461401 2 bytes JMP 7550eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076461419 2 bytes JMP 7551b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076461431 2 bytes JMP 75598609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007646144a 2 bytes CALL 754f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764614dd 2 bytes JMP 75597efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764614f5 2 bytes JMP 755980d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007646150d 2 bytes JMP 75597df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076461525 2 bytes JMP 755981c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007646153d 2 bytes JMP 7550f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076461555 2 bytes JMP 7551b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007646156d 2 bytes JMP 755986c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076461585 2 bytes JMP 75598222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007646159d 2 bytes JMP 75597db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764615b5 2 bytes JMP 7550f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764615cd 2 bytes JMP 7551b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764616b2 2 bytes JMP 75598584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3396] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764616bd 2 bytes JMP 75597d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Waterfox\waterfox.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000774d4a20 13 bytes {MOV R11, 0x7feecc782e0; JMP R11} .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076461401 2 bytes JMP 7550eb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076461419 2 bytes JMP 7551b513 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076461431 2 bytes JMP 75598609 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007646144a 2 bytes CALL 754f1dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764614dd 2 bytes JMP 75597efe C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764614f5 2 bytes JMP 755980d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007646150d 2 bytes JMP 75597df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076461525 2 bytes JMP 755981c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007646153d 2 bytes JMP 7550f088 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076461555 2 bytes JMP 7551b885 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007646156d 2 bytes JMP 755986c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076461585 2 bytes JMP 75598222 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007646159d 2 bytes JMP 75597db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764615b5 2 bytes JMP 7550f121 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764615cd 2 bytes JMP 7551b29f C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764616b2 2 bytes JMP 75598584 C:\Windows\syswow64\kernel32.dll .text C:\Users\oo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[3456] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764616bd 2 bytes JMP 75597d4d C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88002b92908] \SystemRoot\system32\DRIVERS\360Box64.sys [.text] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4000:4252] 000007fefb952a74 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4000:4264] 000007fef01adc08 Thread C:\Windows\System32\svchost.exe [3672:1780] 000007fef1359688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{CC78A550-4249-4842-8699-2A5473D661E5}?\Device\{29A1E7E0-A17E-40E3-B43B-F9648E211DD7}?\Device\{24B078E5-9FDB-4DFD-ADE3-C1945223E55C}?\Device\{E91777B9-1B1C-4936-AE8E-EDCA07AC0E29}?\Device\{B3992E80-1C96-4DD8-AC06-771B82D171A8}?\Device\{2401DAB8-1A7C-4D16-A0F2-30505B233F95}?\Device\{0DE1D5EA-103B-4689-95BF-3DB5B07F5F60}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{CC78A550-4249-4842-8699-2A5473D661E5}"?"{29A1E7E0-A17E-40E3-B43B-F9648E211DD7}"?"{24B078E5-9FDB-4DFD-ADE3-C1945223E55C}"?"{E91777B9-1B1C-4936-AE8E-EDCA07AC0E29}"?"{B3992E80-1C96-4DD8-AC06-771B82D171A8}"?"{2401DAB8-1A7C-4D16-A0F2-30505B233F95}"?"{0DE1D5EA-103B-4689-95BF-3DB5B07F5F60}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{CC78A550-4249-4842-8699-2A5473D661E5}?\Device\TCPIP6TUNNEL_{29A1E7E0-A17E-40E3-B43B-F9648E211DD7}?\Device\TCPIP6TUNNEL_{24B078E5-9FDB-4DFD-ADE3-C1945223E55C}?\Device\TCPIP6TUNNEL_{E91777B9-1B1C-4936-AE8E-EDCA07AC0E29}?\Device\TCPIP6TUNNEL_{B3992E80-1C96-4DD8-AC06-771B82D171A8}?\Device\TCPIP6TUNNEL_{2401DAB8-1A7C-4D16-A0F2-30505B233F95}?\Device\TCPIP6TUNNEL_{0DE1D5EA-103B-4689-95BF-3DB5B07F5F60}? Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 856 ---- EOF - GMER 2.1 ----