GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-05 23:41:41 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS547550A9E384 rev.JE3OA60A 465,76GB Running: gmer.exe; Driver: C:\Users\asus\AppData\Local\Temp\aftcqaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000777dfa38 5 bytes JMP 00000001744219e8 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777dffc8 5 bytes JMP 000000017442209e .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076271401 2 bytes JMP 7634eb2e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076271419 2 bytes JMP 7635b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076271431 2 bytes JMP 763d86d1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007627144a 2 bytes CALL 76331dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762714dd 2 bytes JMP 763d7fc9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762714f5 2 bytes JMP 763d81a0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007627150d 2 bytes JMP 763d7ebf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076271525 2 bytes JMP 763d828a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007627153d 2 bytes JMP 7634f094 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076271555 2 bytes JMP 7635b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007627156d 2 bytes JMP 763d8789 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076271585 2 bytes JMP 763d82ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007627159d 2 bytes JMP 763d7e83 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762715b5 2 bytes JMP 7634f12d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762715cd 2 bytes JMP 7635b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762716b2 2 bytes JMP 763d864c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762716bd 2 bytes JMP 763d7e18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000777dfa38 5 bytes JMP 00000001744219e8 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777dffc8 5 bytes JMP 000000017442209e .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076332182 7 bytes JMP 0000000170e4168b .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 000000007633c74f 7 bytes JMP 0000000170e411a4 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007634ddc2 7 bytes JMP 0000000170e4123a .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007634eb2e 5 bytes JMP 0000000170e415a0 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 000000007634f197 7 bytes JMP 0000000170e41280 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000763d864c 7 bytes JMP 0000000170e4132f .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000763d86d1 5 bytes JMP 0000000170e416cc .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000763d8a27 5 bytes JMP 0000000170e41703 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000766359e3 5 bytes JMP 0000000170e415f0 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000766757fc 5 bytes JMP 0000000170e41217 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000769be84e 5 bytes JMP 0000000170e41181 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000769be86e 5 bytes JMP 0000000170e415b9 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075ea8b9a 5 bytes JMP 0000000170e4171c .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000075eb4c48 5 bytes JMP 0000000170e410a0 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000075eb6bdc 5 bytes JMP 0000000170e4140b .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe[3912] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000075f07bec 5 bytes JMP 0000000170e415c8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076271401 2 bytes JMP 7634eb2e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076271419 2 bytes JMP 7635b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076271431 2 bytes JMP 763d86d1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007627144a 2 bytes CALL 76331dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762714dd 2 bytes JMP 763d7fc9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762714f5 2 bytes JMP 763d81a0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007627150d 2 bytes JMP 763d7ebf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076271525 2 bytes JMP 763d828a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007627153d 2 bytes JMP 7634f094 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076271555 2 bytes JMP 7635b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007627156d 2 bytes JMP 763d8789 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076271585 2 bytes JMP 763d82ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007627159d 2 bytes JMP 763d7e83 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762715b5 2 bytes JMP 7634f12d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762715cd 2 bytes JMP 7635b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762716b2 2 bytes JMP 763d864c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[4524] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762716bd 2 bytes JMP 763d7e18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076271401 2 bytes JMP 7634eb2e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076271419 2 bytes JMP 7635b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076271431 2 bytes JMP 763d86d1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007627144a 2 bytes CALL 76331dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762714dd 2 bytes JMP 763d7fc9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762714f5 2 bytes JMP 763d81a0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007627150d 2 bytes JMP 763d7ebf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076271525 2 bytes JMP 763d828a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007627153d 2 bytes JMP 7634f094 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076271555 2 bytes JMP 7635b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007627156d 2 bytes JMP 763d8789 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076271585 2 bytes JMP 763d82ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007627159d 2 bytes JMP 763d7e83 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762715b5 2 bytes JMP 7634f12d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762715cd 2 bytes JMP 7635b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762716b2 2 bytes JMP 763d864c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4756] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762716bd 2 bytes JMP 763d7e18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076271401 2 bytes JMP 7634eb2e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076271419 2 bytes JMP 7635b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076271431 2 bytes JMP 763d86d1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007627144a 2 bytes CALL 76331dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762714dd 2 bytes JMP 763d7fc9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762714f5 2 bytes JMP 763d81a0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007627150d 2 bytes JMP 763d7ebf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076271525 2 bytes JMP 763d828a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007627153d 2 bytes JMP 7634f094 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076271555 2 bytes JMP 7635b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007627156d 2 bytes JMP 763d8789 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076271585 2 bytes JMP 763d82ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007627159d 2 bytes JMP 763d7e83 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762715b5 2 bytes JMP 7634f12d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762715cd 2 bytes JMP 7635b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762716b2 2 bytes JMP 763d864c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe[2852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762716bd 2 bytes JMP 763d7e18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076271401 2 bytes JMP 7634eb2e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076271419 2 bytes JMP 7635b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076271431 2 bytes JMP 763d86d1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007627144a 2 bytes CALL 76331dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000762714dd 2 bytes JMP 763d7fc9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000762714f5 2 bytes JMP 763d81a0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007627150d 2 bytes JMP 763d7ebf C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076271525 2 bytes JMP 763d828a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007627153d 2 bytes JMP 7634f094 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076271555 2 bytes JMP 7635b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007627156d 2 bytes JMP 763d8789 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076271585 2 bytes JMP 763d82ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007627159d 2 bytes JMP 763d7e83 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000762715b5 2 bytes JMP 7634f12d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000762715cd 2 bytes JMP 7635b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000762716b2 2 bytes JMP 763d864c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Windows Media Player\wmplayer.exe[10472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000762716bd 2 bytes JMP 763d7e18 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88003318edc] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Threads - GMER 2.1 ---- Thread C:\ProgramData\wmc.exe [2584:5000] 00000000718e6f14 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\HWDeviceService64.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\HWDeviceService64.exe [1872](2011-03-14 15:27:34) 000000013f580000 Process C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1688](2013-10-20 12:45:49) 0000000000400000 Library C:\ProgramData\Internet Manager\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1688](2013-10-20 12:45:49) 000000006fbc0000 Library C:\ProgramData\Internet Manager\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1688](2013-10-20 12:45:49) 000000006e940000 Library C:\ProgramData\Internet Manager\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1688](2013-10-20 12:45:49) 000000006a1c0000 Library C:\ProgramData\Internet Manager\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1688](2013-10-20 12:45:49) 000000006ff00000 Process C:\ProgramData\wmc.exe (*** suspicious ***) @ C:\ProgramData\wmc.exe [2584] (Microsoft® Windows® Media Center/Microsoft® Corporation)(2014-08-15 14:24:56) 0000000000400000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [2636] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2011-03-14 15:27:28) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68b7d5fb Reg HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?wrz ?05 ?14, 11:10:37????????????t?????????????????????? Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68b7d5fb (not active ControlSet) ---- EOF - GMER 2.1 ----