GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-17 19:07:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0011 465,76GB Running: rrrie5kr.exe; Driver: C:\Users\ZARZDC~1\AppData\Local\Temp\uwrdipoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80003803000 45 bytes [00, 10, 00, 00, 00, 00, 00, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff8000380302f 23 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\ProgramData\IePluginService\PluginService.exe[1728] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c21465 2 bytes [C2, 77] .text C:\ProgramData\IePluginService\PluginService.exe[1728] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c214bb 2 bytes [C2, 77] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[2160] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c21465 2 bytes [C2, 77] .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[2160] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c214bb 2 bytes [C2, 77] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[2180] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c21465 2 bytes [C2, 77] .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[2180] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c214bb 2 bytes [C2, 77] .text ... * 2 .text C:\Program Files (x86)\Re-markit-soft\Re-markit155.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c21465 2 bytes [C2, 77] .text C:\Program Files (x86)\Re-markit-soft\Re-markit155.exe[2460] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c214bb 2 bytes [C2, 77] .text ... * 2 ? C:\windows\system32\mssprxy.dll [2688] entry point in ".rdata" section 000000006f9371e6 .text C:\windows\system32\taskhost.exe[3736] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\windows\system32\taskhost.exe[3736] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcb200b8 .text C:\windows\system32\taskhost.exe[3736] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcb20038 .text C:\windows\system32\taskhost.exe[3736] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb57490 5 bytes JMP 000007fffcb20138 .text C:\windows\system32\taskhost.exe[3736] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa0aa38c 5 bytes JMP 000007fefcb202b8 .text C:\windows\system32\taskhost.exe[3736] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa0c4b60 5 bytes JMP 000007fefcb20238 .text C:\windows\system32\taskhost.exe[3736] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa0c4ba0 5 bytes JMP 000007fefcb201b8 .text C:\windows\system32\Dwm.exe[3780] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\windows\system32\Dwm.exe[3780] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcae00b8 .text C:\windows\system32\Dwm.exe[3780] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcae0038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2132] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2132] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcb200b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2132] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcb20038 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2132] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa0aa38c 5 bytes JMP 000007fefcb202b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2132] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa0c4b60 5 bytes JMP 000007fefcb20238 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2132] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa0c4ba0 5 bytes JMP 000007fefcb201b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2132] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb57490 5 bytes JMP 000007fffcb20138 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5232] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5232] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcb200b8 .text C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe[5232] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcb20038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5276] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5276] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcb200b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5276] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcb20038 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5276] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa0aa38c 5 bytes JMP 000007fefcb202b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5276] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa0c4b60 5 bytes JMP 000007fefcb20238 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5276] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa0c4ba0 5 bytes JMP 000007fefcb201b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[5276] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb57490 5 bytes JMP 000007fffcb20138 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5364] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5364] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcb200b8 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5364] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcb20038 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5364] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa0aa38c 5 bytes JMP 000007fefcb202b8 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5364] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa0c4b60 5 bytes JMP 000007fefcb20238 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5364] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa0c4ba0 5 bytes JMP 000007fefcb201b8 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5364] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb57490 5 bytes JMP 000007fffcb20138 .text C:\Program Files\Microsoft Security Client\msseces.exe[5596] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[5596] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcae00b8 .text C:\Program Files\Microsoft Security Client\msseces.exe[5596] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcae0038 .text C:\Program Files\Microsoft Security Client\msseces.exe[5596] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb57490 5 bytes JMP 000007fffcae0138 .text C:\Program Files (x86)\UtilityChest_49\bar\1.bin\AppIntegrator64.exe[5636] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\UtilityChest_49\bar\1.bin\AppIntegrator64.exe[5636] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcb200b8 .text C:\Program Files (x86)\UtilityChest_49\bar\1.bin\AppIntegrator64.exe[5636] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcb20038 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[5752] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000762648b3 5 bytes JMP 0000000110002710 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[5752] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000762648cb 5 bytes JMP 00000001100027f0 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[5752] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000762648fd 5 bytes JMP 0000000110002780 .text C:\Program Files (x86)\USB Camera\VM331_STI.EXE[5752] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075b89d0b 5 bytes JMP 0000000110002850 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5820] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5820] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcb200b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5820] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcb20038 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5820] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb57490 5 bytes JMP 000007fffcb20138 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5820] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa0aa38c 5 bytes JMP 000007fefcb202b8 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5820] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa0c4b60 5 bytes JMP 000007fefcb20238 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[5820] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa0c4ba0 5 bytes JMP 000007fefcb201b8 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[5832] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000762648b3 5 bytes JMP 0000000102182710 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[5832] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000762648cb 5 bytes JMP 00000001021827f0 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[5832] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000762648fd 5 bytes JMP 0000000102182780 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[5832] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c21465 2 bytes [C2, 77] .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[5832] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c214bb 2 bytes [C2, 77] .text ... * 2 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[5832] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075b89d0b 5 bytes JMP 0000000102182850 .text C:\windows\system32\wbem\unsecapp.exe[5908] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\windows\system32\wbem\unsecapp.exe[5908] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcb200b8 .text C:\windows\system32\wbem\unsecapp.exe[5908] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcb20038 .text C:\windows\system32\wbem\unsecapp.exe[5908] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb57490 5 bytes JMP 000007fffcb20138 .text C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49brmon.exe[5976] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000762648b3 5 bytes JMP 0000000101df2710 .text C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49brmon.exe[5976] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000762648cb 5 bytes JMP 0000000101df27f0 .text C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49brmon.exe[5976] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000762648fd 5 bytes JMP 0000000101df2780 .text C:\Program Files (x86)\UtilityChest_49\bar\1.bin\49brmon.exe[5976] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075b89d0b 5 bytes JMP 0000000101df2850 .text C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe[5988] C:\windows\system32\KERNEL32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe[5988] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffcae00b8 .text C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe[5988] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffcae0038 .text C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe[5988] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb57490 5 bytes JMP 000007fffcae0138 .text D:\Winamp\winampa.exe[6084] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000762648b3 5 bytes JMP 0000000110002710 .text D:\Winamp\winampa.exe[6084] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000762648cb 5 bytes JMP 00000001100027f0 .text D:\Winamp\winampa.exe[6084] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000762648fd 5 bytes JMP 0000000110002780 .text D:\Winamp\winampa.exe[6084] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075b89d0b 5 bytes JMP 0000000110002850 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6140] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000762648b3 5 bytes JMP 0000000110002710 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6140] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000762648cb 5 bytes JMP 00000001100027f0 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6140] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000762648fd 5 bytes JMP 0000000110002780 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6140] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075b89d0b 5 bytes JMP 0000000110002850 .text C:\Program Files (x86)\fst_fr_118\fst_fr_118.exe[5736] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000762648b3 5 bytes JMP 0000000110002710 .text C:\Program Files (x86)\fst_fr_118\fst_fr_118.exe[5736] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000762648cb 5 bytes JMP 00000001100027f0 .text C:\Program Files (x86)\fst_fr_118\fst_fr_118.exe[5736] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000762648fd 5 bytes JMP 0000000110002780 .text C:\Program Files (x86)\fst_fr_118\fst_fr_118.exe[5736] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075b89d0b 5 bytes JMP 0000000110002850 .text C:\Program Files (x86)\fst_fr_118\fst_fr_118.exe[5736] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c21465 2 bytes [C2, 77] .text C:\Program Files (x86)\fst_fr_118\fst_fr_118.exe[5736] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c214bb 2 bytes [C2, 77] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5880] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000762648b3 5 bytes JMP 0000000110002710 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5880] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000762648cb 5 bytes JMP 00000001100027f0 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5880] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000762648fd 5 bytes JMP 0000000110002780 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5880] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075b89d0b 5 bytes JMP 0000000110002850 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5880] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c21465 2 bytes [C2, 77] .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5880] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c214bb 2 bytes [C2, 77] .text ... * 2 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[6064] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000762648b3 5 bytes JMP 0000000110002710 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[6064] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000762648cb 5 bytes JMP 00000001100027f0 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[6064] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000762648fd 5 bytes JMP 0000000110002780 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[6064] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075b89d0b 5 bytes JMP 0000000110002850 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[6064] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c21465 2 bytes [C2, 77] .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[6064] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c214bb 2 bytes [C2, 77] .text ... * 2 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6776] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000077866f80 5 bytes JMP 0000000169ff0038 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6776] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefcb38ef0 5 bytes JMP 000007fffca900b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6776] C:\windows\system32\KERNELBASE.dll!LoadLibraryExA 000007fefcb3bfd0 5 bytes JMP 000007fffca90038 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6776] C:\windows\system32\ole32.dll!CoCreateInstance 000007fefdb57490 5 bytes JMP 000007fffca90138 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6776] C:\windows\system32\WINMM.dll!waveOutReset 000007fefa0aa38c 5 bytes JMP 000007fefca902b8 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6776] C:\windows\system32\WINMM.dll!waveOutPause 000007fefa0c4b60 5 bytes JMP 000007fefca90238 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[6776] C:\windows\system32\WINMM.dll!waveOutRestart 000007fefa0c4ba0 5 bytes JMP 000007fefca901b8 .text C:\windows\SysWOW64\RunDll32.exe[6784] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c21465 2 bytes [C2, 77] .text C:\windows\SysWOW64\RunDll32.exe[6784] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c214bb 2 bytes [C2, 77] .text ... * 2 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6892] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000762648b3 5 bytes JMP 0000000110002710 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6892] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000762648cb 5 bytes JMP 00000001100027f0 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6892] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000762648fd 5 bytes JMP 0000000110002780 .text C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe[6892] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075b89d0b 5 bytes JMP 0000000110002850 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077c21465 2 bytes [C2, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3928] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077c214bb 2 bytes [C2, 77] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819b53fa5 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819b53fa5@00023c23cfba 0x56 0xA5 0x28 0xCE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819b53fa5 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819b53fa5@00023c23cfba 0x56 0xA5 0x28 0xCE ... ---- EOF - GMER 2.1 ----