GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-16 11:19:45 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST750LM0 rev.2AR1 698,64GB Running: o8fqn03l.exe; Driver: C:\Users\Ewa\AppData\Local\Temp\pxtiipog.sys ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_onexit] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_lock] [1000100000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!__dllonexit] [80000020800000a0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_unlock] [8000003800000010] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!?terminate@@YAXXZ] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [1000000000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_amsg_exit] [8000005000000001] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_initterm] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_XcptFilter] [1000000000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memset] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!malloc] [1000000000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcsstr] [8000000409] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_ui64tow] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!vswprintf_s] [1000000000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_vscwprintf] [9000000409] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_wcsicmp] [c800017430] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcstok_s] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!iswspace] [380000170b0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcmp] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcpy] [490055004d0003] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcstol] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcscspn] [56000000340380] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!calloc] [450056005f0053] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!free] [4f004900530052] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memmove_s] [4e0049005f004e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcpy_s] [4f0046] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_wsplitpath_s] [10000feef04bd] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_vsnwprintf] [1db0400100060001] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!sqrtf] [1db0400100060001] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!logf] [3f] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!__CxxFrameHandler3] [200040004] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_CxxThrowException] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!ceilf] [2de00000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleHandleW] [460067006e0069] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateToolhelp32Snapshot] [490065006c0069] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentThreadId] [6f0066006e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Sleep] [300001000002ba] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CompareStringOrdinal] [30003900300034] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetVersion] [3000420034] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LocalFree] [4300010016004c] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetLastError] [610070006d006f] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DeactivateActCtx] [61004e0079006e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetLastError] [65006d] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadLibraryW] [7200630069004d] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcAddress] [66006f0073006f] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ActivateActCtx] [6f004300200074] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindActCtxSectionStringW] [72006f00700072] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateActCtxW] [6f006900740061] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleFileNameW] [1e00640000006e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleHandleExW] [6c006900460001] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryActCtxW] [73006500440065] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!OutputDebugStringA] [70006900720063] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CloseHandle] [72005000000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WaitForSingleObject] [6e006100200073] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateEventW] [6f005300200064] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetEvent] [6900740075006c] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DeleteFileW] [73006e006f] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CompareFileTime] [4600010026006c] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrlenW] [560065006c0069] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetFileAttributesW] [69007300720065] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateFileW] [6e006f] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalFree] [2e0031002e0036] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateThread] [30003000360037] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LocalAlloc] [3300360031002e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrcmpW] [28002000350038] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrcmpiW] [37006e00690077] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FreeLibrary] [6d00740072005f] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SizeofResource] [3000390030002e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LockResource] [2d003300310037] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadResource] [35003500320031] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindResourceW] [4002800000029] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindResourceExW] [74006e00490001] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetFileAttributesW] [61006e00720065] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemTime] [6d0061004e006c] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SystemTimeToTzSpecificLocalTime] [52004500000065] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WaitForMultipleObjects] [2e008000000043] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FileTimeToSystemTime] [670065004c0001] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalAlloc] [6f0043006c0061] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalReAlloc] [69007200790070] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SystemTimeToFileTime] [7400680067] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTickCount] [69004d002000a9] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Process32FirstW] [73006f00720063] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ReadFile] [2000740066006f] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WriteFile] [700072006f0043] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetFilePointerEx] [7400610072006f] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FlushFileBuffers] [2e006e006f0069] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetFileInformationByHandle] [6c006c00410020] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalSize] [67006900720020] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalLock] [20007300740068] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalUnlock] [65007300650072] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentProcessId] [64006500760072] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FileTimeToLocalFileTime] [400300000002e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetDateFormatW] [690072004f0001] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTimeFormatW] [61006e00690067] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FormatMessageW] [6c00690046006c] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ReleaseActCtx] [6d0061006e0065] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ExpandEnvironmentStringsW] [52004500000065] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DosDateTimeToFileTime] [25006a00000043] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!EnumUILanguagesW] [6f007200500001] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetUserDefaultUILanguage] [74006300750064] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetLocaleInfoW] [65006d0061004e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetDriveTypeW] [69004d00000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcessHeap] [ae00740066006f] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!HeapFree] [6e006900570020] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DisableThreadLibraryCalls] [730077006f0064] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemDirectoryW] [70004f002000ae] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetNumberFormatW] [74006100720065] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!MulDiv] [200067006e0069] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTempPathW] [74007300790053] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateDirectoryW] [6d0065] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!TzSpecificLocalTimeToSystemTime] [500001000f0042] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryPerformanceCounter] [750064006f0072] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryPerformanceFrequency] [65005600740063] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ResetEvent] [6f006900730072] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadLibraryExA] [2e00360000006e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DelayLoadFailureHook] [360037002e0031] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!HeapDestroy] [31002e00300030] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RaiseException] [72006100560001] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetVersionExA] [65006c00690046] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [6f0066006e0049] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!TerminateProcess] [4002400000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentProcess] [61007200540000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!UnhandledExceptionFilter] [61006c0073006e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [6e006f00690074] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlVirtualUnwind] [4b0040900000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlLookupFunctionEntry] [c8fecdfecd] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlCaptureContext] [10000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Process32NextW] [11] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!OpenProcess] [7cd6a2a100000002] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcessTimes] [8c4522f58ca506d1] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptAcquireContextW] [91c1bb417f05b27d] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptImportKey] [5a1dcb03] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptCreateHash] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptHashData] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptSignHashW] [8800000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptDestroyHash] [980000000e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptDestroyKey] [a000000004] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptReleaseContext] [b00000000e] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegCloseKey] [b800000000] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegOpenKeyExW] [c] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegQueryValueExW] [490055004d] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegEnumKeyW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetDeviceCaps] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!DeleteDC] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetTextExtentPoint32W] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetStockObject] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetTextExtentPointW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!CreateDIBSection] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!DeleteObject] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!CreateCompatibleDC] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrRetToBufW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHGetThreadRef] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHRegGetValueW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrStrIW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathCombineW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpIW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrStrW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCSpnW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathFindFileNameW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrFormatByteSizeW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHGetValueW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpLogicalW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveBlanksW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!AssocQueryKeyW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveExtensionW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHStrDupW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathStripPathW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathAddBackslashW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathAppendW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!AssocCreate] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathFindExtensionW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveFileSpecW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!UnregisterClassA] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DialogBoxParamW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!InsertMenuW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CharNextW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RemoveMenu] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSubMenu] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!TrackPopupMenu] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetFocus] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetForegroundWindow] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetForegroundWindow] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetShellWindow] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadMenuW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyMenu] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadStringW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendMessageW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClassNameW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetMenuDefaultItem] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadIconW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowTextW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetDlgItemTextW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!EndDialog] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDlgItem] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowLongPtrW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowLongPtrW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!IsDlgButtonChecked] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!UnhookWindowsHookEx] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendDlgItemMessageW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CheckDlgButton] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!EnableWindow] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ShowWindow] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowLongW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowLongW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClientRect] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSystemMetrics] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadImageW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetParent] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!IsChild] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CallNextHookEx] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CreateWindowExW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowPos] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowsHookExW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDC] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ReleaseDC] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowRect] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ScreenToClient] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetTimer] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!KillTimer] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!PostMessageW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDlgCtrlID] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyIcon] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowTextW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CopyImage] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSysColor] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetCursorPos] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClassInfoW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadCursorW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RegisterClassW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!FindWindowW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindow] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowThreadProcessId] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendMessageTimeoutW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SwitchToThisWindow] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetLastActivePopup] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyWindow] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RegisterClipboardFormatW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetMenuItemInfoW] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetMenuItemCount] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[WINMM.dll!timeSetEvent] [0] IAT C:\Windows\Explorer.EXE[1308] @ C:\Windows\system32\wpdshext.dll[WINMM.dll!timeKillEvent] [0] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\74e5439099b2 (not active ControlSet) Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74e5439099b2 Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\74e5439099b2 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\SysPart\Boot? 0 bytes File C:\SysPart\Default\BackF? 156 bytes File indowsPart\Default\BackF? 0 bytes File ystem32art\Default\BackF? 0 bytes File rivers2art\Default\BackF? 0 bytes File rivers2art\Default\BackF? 647080 bytes executable File rivers2art\Default\BackF? 284648 bytes ---- EOF - GMER 2.1 ----