GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-04 22:29:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GN00 698,64GB Running: q3l947mt.exe; Driver: C:\Users\Acer\AppData\Local\Temp\fwtcqaob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031a4000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031a402f 18 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\services.exe[808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[824] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[684] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007744af40 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077454a60 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077472990 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007747efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000774a99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000774b94d0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774da500 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff767490 11 bytes JMP 000007fffe2d0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1388] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff77bf00 7 bytes JMP 000007fffe2d0260 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe[1840] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007561a2ba 1 byte [62] .text C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe[2000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[1600] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007561a2ba 1 byte [62] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b71465 2 bytes [B7, 76] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[1600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b714bb 2 bytes [B7, 76] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe[1860] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2336] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\conhost.exe[2848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000755f1eee 7 bytes JMP 0000000171443550 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000755f5b85 7 bytes JMP 00000001714437f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756013e1 7 bytes JMP 0000000171443650 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007560ea0d 7 bytes JMP 0000000171443540 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007561a2ba 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000756988b4 7 bytes JMP 0000000171443310 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075698939 5 bytes JMP 00000001714433c0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075698c8f 5 bytes JMP 0000000171443320 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b91d1b 3 bytes JMP 00000001714432b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW + 4 0000000076b91d1f 1 byte [FA] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076b91dc9 3 bytes JMP 0000000171443270 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW + 4 0000000076b91dcd 1 byte [FA] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b92aa4 3 bytes JMP 00000001714433d0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 4 0000000076b92aa8 1 byte [FA] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b92d0a 3 bytes JMP 00000001714430b0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary + 4 0000000076b92d0e 1 byte [FA] .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076d08a29 5 bytes JMP 0000000171442c60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076d14572 5 bytes JMP 0000000171443030 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076d2e567 5 bytes JMP 00000001714430a0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076d67a5c 5 bytes JMP 0000000171443020 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076b0e96b 5 bytes JMP 0000000171442cd0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076b0eba5 5 bytes JMP 0000000171442ce0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000076795ea5 5 bytes JMP 0000000171442c20 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2504] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000767c9d0b 5 bytes JMP 0000000171442bb0 .text C:\Windows\System32\hkcmd.exe[3092] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000755f1eee 7 bytes JMP 0000000171443550 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000755f5b85 7 bytes JMP 00000001714437f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000755f8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756013e1 7 bytes JMP 0000000171443650 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007560ea0d 7 bytes JMP 0000000171443540 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007561a2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000756988b4 7 bytes JMP 0000000171443310 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075698939 5 bytes JMP 00000001714433c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075698c8f 5 bytes JMP 0000000171443320 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076b71465 2 bytes [B7, 76] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3572] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076b714bb 2 bytes [B7, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2624] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 00000000755f1eee 7 bytes JMP 0000000171443550 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2624] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 00000000755f5b85 7 bytes JMP 00000001714437f0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2624] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 00000000756013e1 7 bytes JMP 0000000171443650 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2624] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 000000007560ea0d 7 bytes JMP 0000000171443540 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2624] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007561a2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2624] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000756988b4 7 bytes JMP 0000000171443310 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2624] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 0000000075698939 5 bytes JMP 00000001714433c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[2624] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 0000000075698c8f 5 bytes JMP 0000000171443320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007744af40 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077454a60 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077472990 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007747efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000774a99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000774b94d0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774da500 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe2e2db0 5 bytes JMP 000007fffe2d0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe2e37d0 7 bytes JMP 000007fffe2d00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe2e8ef0 6 bytes JMP 000007fffe2d0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe2faf60 5 bytes JMP 000007fffe2d0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff0e89e0 8 bytes JMP 000007fffe2d01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3852] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff0ebe40 8 bytes JMP 000007fffe2d01b8 .text C:\Windows\system32\SearchIndexer.exe[4372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files (x86)\ClearThink\bin\utilClearThink.exe[4676] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007561a2ba 1 byte [62] .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter.exe[2032] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000755f1eee 7 bytes JMP 0000000171443550 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter.exe[2032] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000755f5b85 7 bytes JMP 00000001714437f0 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter.exe[2032] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756013e1 7 bytes JMP 0000000171443650 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter.exe[2032] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007560ea0d 7 bytes JMP 0000000171443540 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter.exe[2032] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007561a2ba 1 byte [62] .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter.exe[2032] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000756988b4 7 bytes JMP 0000000171443310 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter.exe[2032] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075698939 5 bytes JMP 00000001714433c0 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter.exe[2032] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075698c8f 5 bytes JMP 0000000171443320 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter64.exe[5100] C:\Windows\system32\kernel32.dll!RegSetValueExW 000000007744af40 7 bytes JMP 000000016fff0228 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter64.exe[5100] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077454a60 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter64.exe[5100] C:\Windows\system32\kernel32.dll!RegDeleteValueW 0000000077472990 5 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter64.exe[5100] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007747efe0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter64.exe[5100] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter64.exe[5100] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000774a99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter64.exe[5100] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000774b94d0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\ClearThink\bin\ClearThink.BrowserAdapter64.exe[5100] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000774da500 7 bytes JMP 000000016fff01f0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1044] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007561a2ba 1 byte [62] .text C:\Program Files (x86)\ClearThink\updateClearThink.exe[2900] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007561a2ba 1 byte [62] .text C:\Windows\system32\taskhost.exe[292] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007749eecd 1 byte [62] .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 00000000755f1eee 7 bytes JMP 0000000171443550 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 00000000755f5b85 7 bytes JMP 00000001714437f0 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000756013e1 7 bytes JMP 0000000171443650 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007560ea0d 7 bytes JMP 0000000171443540 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007561a2ba 1 byte [62] .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000756988b4 7 bytes JMP 0000000171443310 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000075698939 5 bytes JMP 00000001714433c0 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000075698c8f 5 bytes JMP 0000000171443320 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000076b91d1b 3 bytes JMP 00000001714432b0 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW + 4 0000000076b91d1f 1 byte [FA] .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000076b91dc9 3 bytes JMP 0000000171443270 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW + 4 0000000076b91dcd 1 byte [FA] .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076b92aa4 3 bytes JMP 00000001714433d0 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 4 0000000076b92aa8 1 byte [FA] .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000076b92d0a 3 bytes JMP 00000001714430b0 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary + 4 0000000076b92d0e 1 byte [FA] .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 0000000076b0e96b 5 bytes JMP 0000000171442cd0 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 0000000076b0eba5 5 bytes JMP 0000000171442ce0 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076d08a29 5 bytes JMP 0000000171442c60 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076d14572 5 bytes JMP 0000000171443030 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076d2e567 5 bytes JMP 00000001714430a0 .text C:\Users\Acer\Desktop\q3l947mt.exe[5456] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076d67a5c 5 bytes JMP 0000000171443020 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [612:752] 000007fefcdef2f4 Thread C:\Windows\System32\svchost.exe [612:1028] 000007fefcd66204 Thread C:\Windows\System32\svchost.exe [612:1172] 000007fefc012070 Thread C:\Windows\System32\svchost.exe [612:1176] 000007fefbee5428 Thread C:\Windows\System32\svchost.exe [612:4012] 000007fef46f6b8c Thread C:\Windows\System32\svchost.exe [612:1380] 000007fef46f1d88 Thread C:\Windows\System32\svchost.exe [644:696] 000007fefcdef2f4 Thread C:\Windows\System32\svchost.exe [644:880] 000007fefcd66204 Thread C:\Windows\System32\svchost.exe [644:1120] 000007fefc02331c Thread C:\Windows\System32\svchost.exe [644:1220] 000007fefbaf59a0 Thread C:\Windows\System32\svchost.exe [644:5020] 000007fef7fd44e0 Thread C:\Windows\System32\svchost.exe [644:4824] 000007fef79520c0 Thread C:\Windows\System32\svchost.exe [644:3880] 000007fef79526a8 Thread C:\Windows\System32\svchost.exe [644:2872] 000007fef79529dc Thread C:\Windows\System32\svchost.exe [644:4944] 000007fefd9e1a70 Thread C:\Windows\System32\svchost.exe [644:3700] 000007fef85288f8 Thread C:\Windows\System32\svchost.exe [644:5920] 000007fef7fed710 Thread C:\Windows\system32\svchost.exe [684:3872] 000007fef71d17f8 Thread C:\Windows\system32\svchost.exe [684:3876] 000007fef71d17f8 Thread C:\Windows\system32\svchost.exe [684:4292] 000007fef30d506c Thread C:\Windows\system32\svchost.exe [684:4300] 000007fefb081c20 Thread C:\Windows\system32\svchost.exe [684:4308] 000007fefb081c20 Thread C:\Windows\system32\svchost.exe [684:4296] 000007fef9745124 Thread C:\Windows\system32\svchost.exe [684:4488] 000007feedd626e0 Thread C:\Windows\system32\svchost.exe [684:5820] 000007fef77e1ab0 Thread C:\Windows\system32\svchost.exe [684:1776] 000007fef6af4164 Thread C:\Windows\system32\svchost.exe [684:6120] 000007fef71d17f8 Thread C:\Windows\system32\svchost.exe [684:5128] 000007fef71d17f8 Thread C:\Windows\system32\svchost.exe [684:1872] 000007fef71d17f8 Thread C:\Windows\system32\svchost.exe [684:4540] 000007fef75fb68c Thread C:\Windows\System32\spoolsv.exe [1668:2428] 000007fef94910c8 Thread C:\Windows\System32\spoolsv.exe [1668:2436] 000007fef9456144 Thread C:\Windows\System32\spoolsv.exe [1668:2448] 000007fef9245fd0 Thread C:\Windows\System32\spoolsv.exe [1668:2452] 000007fef9233438 Thread C:\Windows\System32\spoolsv.exe [1668:2456] 000007fef92463ec Thread C:\Windows\System32\spoolsv.exe [1668:2464] 000007fef9525e5c Thread C:\Windows\System32\spoolsv.exe [1668:2468] 000007fef9575074 Thread C:\Windows\system32\svchost.exe [1700:1724] 000007fefd9e1a70 Thread C:\Windows\system32\svchost.exe [1700:1744] 000007fefd9e1a70 Thread C:\Windows\system32\svchost.exe [1700:1756] 000007fefd9e1a70 Thread C:\Windows\system32\svchost.exe [1700:1764] 000007fef9ee2c70 Thread C:\Windows\system32\svchost.exe [1700:1792] 000007fef9eefb40 Thread C:\Windows\system32\svchost.exe [1700:1804] 000007fef9f01d20 Thread C:\Windows\system32\svchost.exe [1700:1808] 000007fef9eef6f0 Thread C:\Windows\system32\svchost.exe [1700:1964] 000007fef9e435c0 Thread C:\Windows\system32\svchost.exe [1700:1968] 000007fef9e45600 Thread C:\Windows\system32\svchost.exe [1700:3708] 000007feee702940 Thread C:\Windows\system32\svchost.exe [1700:544] 000007feee0b2888 Thread C:\Windows\system32\Dwm.exe [2440:2620] 000007fef857abf0 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [3012:3024] 0000000077d53e85 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [3012:3028] 0000000075847587 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [3012:3040] 0000000077d52e65 Thread C:\Windows\system32\svchost.exe [2124:1564] 000007feff95a808 Thread C:\Windows\system32\svchost.exe [2124:2284] 000007fef7f57130 Thread C:\Windows\system32\svchost.exe [2124:2292] 000007fef7f4d5c0 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:3248] 0000000075847587 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:1596] 0000000077d52e65 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:3676] 000000007156345e Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:1260] 00000000744d6358 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:3508] 000000007156345e Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:3512] 00000000741df71d Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:3380] 00000000741df71d Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:3720] 00000000741d5b1a Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:3716] 000000007156345e Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:4124] 0000000074480b14 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:4156] 000000007156345e Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:4388] 000000007156345e Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3984:2880] 0000000077d53e85 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [4160:4364] 0000000075847587 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [4160:4384] 0000000077d52e65 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [4160:4452] 00000000687a4c7c Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [4160:4476] 00000000687b6467 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [4160:3948] 0000000077d53e85 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [4160:1080] 0000000077d53e85 Thread C:\Windows\system32\svchost.exe [3856:2592] 000007feff95a808 Thread C:\Windows\system32\svchost.exe [3632:2944] 000007feeddb8470 Thread C:\Windows\system32\svchost.exe [3632:2940] 000007feeddc2418 Thread C:\Windows\system32\svchost.exe [3632:4916] 000007feec4a65c4 Thread C:\Windows\System32\svchost.exe [5116:2332] 000007feeaca9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4264:4656] 000007fefc482a7c Thread C:\Windows\system32\svchost.exe [4076:3416] 000007feff95a808 Thread C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe [4068:4896] 0000000077d53e85 Thread C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe [4068:3660] 0000000075847587 Thread C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe [4068:2956] 0000000077d52e65 Thread C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe [4068:3564] 0000000077d53e85 Thread C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe [4068:1584] 0000000077d53e85 Thread C:\Windows\system32\taskhost.exe [292:4908] 000007fef9afef24 ---- Processes - GMER 2.1 ---- Library C:\Users\Acer\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2552] (GG drive menu/GG Network S.A.)(2014- 000000005ff80000 ---- EOF - GMER 2.1 ----