GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-05-12 16:45:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JEDO 596,17GB Running: m57g1hli.exe; Driver: C:\Users\Blazej\AppData\Local\Temp\awrdipob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033ba000 63 bytes [00, 00, 0C, 02, 46, 4D, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 592 fffff800033ba040 1 byte [47] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000753e1465 2 bytes [3E, 75] .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753e14bb 2 bytes [3E, 75] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[2644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000753e1465 2 bytes [3E, 75] .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[2644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753e14bb 2 bytes [3E, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075401f0e 7 bytes JMP 0000000171313550 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075405bad 7 bytes JMP 00000001713137f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075411409 7 bytes JMP 0000000171313650 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007541ea45 7 bytes JMP 0000000171313540 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000754a8e24 7 bytes JMP 0000000171313310 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000754a8ea9 5 bytes JMP 00000001713133c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000754a91ff 5 bytes JMP 0000000171313320 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077111d1b 5 bytes JMP 00000001713132b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077111dc9 5 bytes JMP 0000000171313270 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077112aa4 5 bytes JMP 00000001713133d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077112d0a 5 bytes JMP 00000001713130b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000171312c60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 0000000171313030 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007622e567 5 bytes JMP 00000001713130a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076267a5c 5 bytes JMP 0000000171313020 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f7e96b 5 bytes JMP 0000000171312cd0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f7eba5 5 bytes JMP 0000000171312ce0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b45ea5 5 bytes JMP 0000000171312c20 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075b79d0b 5 bytes JMP 0000000171312bb0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000753e1465 2 bytes [3E, 75] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753e14bb 2 bytes [3E, 75] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075401f0e 7 bytes JMP 0000000171313550 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075405bad 7 bytes JMP 00000001713137f0 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075411409 7 bytes JMP 0000000171313650 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007541ea45 7 bytes JMP 0000000171313540 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000754a8e24 7 bytes JMP 0000000171313310 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000754a8ea9 5 bytes JMP 00000001713133c0 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000754a91ff 5 bytes JMP 0000000171313320 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077111d1b 5 bytes JMP 00000001713132b0 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077111dc9 5 bytes JMP 0000000171313270 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077112aa4 5 bytes JMP 00000001713133d0 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077112d0a 5 bytes JMP 00000001713130b0 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000171312c60 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 0000000171313030 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007622e567 5 bytes JMP 00000001713130a0 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076267a5c 5 bytes JMP 0000000171313020 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f7e96b 5 bytes JMP 0000000171312cd0 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f7eba5 5 bytes JMP 0000000171312ce0 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b45ea5 5 bytes JMP 0000000171312c20 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075b79d0b 5 bytes JMP 0000000171312bb0 .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000753e1465 2 bytes [3E, 75] .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753e14bb 2 bytes [3E, 75] .text ... * 2 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 0000000075401f0e 7 bytes JMP 0000000171313550 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 0000000075405bad 7 bytes JMP 00000001713137f0 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000075411409 7 bytes JMP 0000000171313650 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 000000007541ea45 7 bytes JMP 0000000171313540 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000754a8e24 7 bytes JMP 0000000171313310 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 00000000754a8ea9 5 bytes JMP 00000001713133c0 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 00000000754a91ff 5 bytes JMP 0000000171313320 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077111d1b 5 bytes JMP 00000001713132b0 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077111dc9 5 bytes JMP 0000000171313270 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077112aa4 5 bytes JMP 00000001713133d0 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077112d0a 5 bytes JMP 00000001713130b0 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000171312c60 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 0000000171313030 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007622e567 5 bytes JMP 00000001713130a0 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076267a5c 5 bytes JMP 0000000171313020 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075b45ea5 5 bytes JMP 0000000171312c20 .text C:\Program Files (x86)\Razer\Razer Game Booster\main.exe[5736] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075b79d0b 5 bytes JMP 0000000171312bb0 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075401f0e 7 bytes JMP 0000000171313550 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075405bad 7 bytes JMP 00000001713137f0 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075411409 7 bytes JMP 0000000171313650 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007541ea45 7 bytes JMP 0000000171313540 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000754a8e24 7 bytes JMP 0000000171313310 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000754a8ea9 5 bytes JMP 00000001713133c0 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000754a91ff 5 bytes JMP 0000000171313320 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077111d1b 5 bytes JMP 00000001713132b0 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077111dc9 5 bytes JMP 0000000171313270 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077112aa4 5 bytes JMP 00000001713133d0 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077112d0a 5 bytes JMP 00000001713130b0 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000753e1465 2 bytes [3E, 75] .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753e14bb 2 bytes [3E, 75] .text ... * 2 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000171312c60 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 0000000171313030 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007622e567 5 bytes JMP 00000001713130a0 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076267a5c 5 bytes JMP 0000000171313020 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f7e96b 5 bytes JMP 0000000171312cd0 .text C:\ProgramData\Battle.net\Agent\Agent.2880\Agent.exe[4988] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f7eba5 5 bytes JMP 0000000171312ce0 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075401f0e 7 bytes JMP 0000000171313550 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075405bad 7 bytes JMP 00000001713137f0 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075411409 7 bytes JMP 0000000171313650 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007541ea45 7 bytes JMP 0000000171313540 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000754a8e24 7 bytes JMP 0000000171313310 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000754a8ea9 5 bytes JMP 00000001713133c0 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000754a91ff 5 bytes JMP 0000000171313320 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077111d1b 5 bytes JMP 00000001713132b0 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077111dc9 5 bytes JMP 0000000171313270 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077112aa4 5 bytes JMP 00000001713133d0 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077112d0a 5 bytes JMP 00000001713130b0 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000171312c60 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 0000000171313030 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007622e567 5 bytes JMP 00000001713130a0 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076267a5c 5 bytes JMP 0000000171313020 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f7e96b 5 bytes JMP 0000000171312cd0 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f7eba5 5 bytes JMP 0000000171312ce0 .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000753e1465 2 bytes [3E, 75] .text D:\Gry\Battle.net\Battle.net.4511\Battle.net.exe[6780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753e14bb 2 bytes [3E, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075401f0e 7 bytes JMP 0000000171313550 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075405bad 7 bytes JMP 00000001713137f0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075411409 7 bytes JMP 0000000171313650 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007541ea45 7 bytes JMP 0000000171313540 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000754a8e24 7 bytes JMP 0000000171313310 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000754a8ea9 5 bytes JMP 00000001713133c0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000754a91ff 5 bytes JMP 0000000171313320 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077111d1b 5 bytes JMP 00000001713132b0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077111dc9 5 bytes JMP 0000000171313270 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077112aa4 5 bytes JMP 00000001713133d0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077112d0a 5 bytes JMP 00000001713130b0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f7e96b 5 bytes JMP 0000000171312cd0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f7eba5 5 bytes JMP 0000000171312ce0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000171312c60 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 0000000171313030 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007622e567 5 bytes JMP 00000001713130a0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076267a5c 5 bytes JMP 0000000171313020 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000753e1465 2 bytes [3E, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753e14bb 2 bytes [3E, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000746311a8 2 bytes [63, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000746313a8 2 bytes [63, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000074631422 2 bytes [63, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[6724] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000074631498 2 bytes [63, 74] .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000075401f0e 7 bytes JMP 0000000171313550 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000075405bad 7 bytes JMP 00000001713137f0 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000075411409 7 bytes JMP 0000000171313650 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007541ea45 7 bytes JMP 0000000171313540 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000754a8e24 7 bytes JMP 0000000171313310 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000754a8ea9 5 bytes JMP 00000001713133c0 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000754a91ff 5 bytes JMP 0000000171313320 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077111d1b 5 bytes JMP 00000001713132b0 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077111dc9 5 bytes JMP 0000000171313270 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077112aa4 5 bytes JMP 00000001713133d0 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077112d0a 5 bytes JMP 00000001713130b0 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076f7e96b 5 bytes JMP 0000000171312cd0 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076f7eba5 5 bytes JMP 0000000171312ce0 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076208a29 5 bytes JMP 0000000171312c60 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076214572 5 bytes JMP 0000000171313030 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 000000007622e567 5 bytes JMP 00000001713130a0 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076267a5c 5 bytes JMP 0000000171313020 .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000753e1465 2 bytes [3E, 75] .text C:\Users\Blazej\Downloads\m57g1hli.exe[6640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753e14bb 2 bytes [3E, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2580:5460] 000007feee08b528 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2580:5636] 000007feedf4b334 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2580:3652] 000007feedf4b334 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68dc70ae Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68dc70ae (not active ControlSet) ---- EOF - GMER 2.1 ----