GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-20 12:16:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE3O 465,76GB Running: cm45o0hm.exe; Driver: C:\Users\Maciek\AppData\Local\Temp\awrdrpog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031a7000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031a702f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[2796] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074d21a22 2 bytes [D2, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2796] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074d21ad0 2 bytes [D2, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2796] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074d21b08 2 bytes [D2, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2796] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074d21bba 2 bytes [D2, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[2796] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074d21bda 2 bytes [D2, 74] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3820] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000777fa400 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3820] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077803f20 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3820] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007781ffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3820] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007782f2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3820] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077859a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3820] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778694c0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3820] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000778887e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3820] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefdbe7490 11 bytes JMP 000007fffd7e0228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3820] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefdbfbf00 7 bytes JMP 000007fffd7e0260 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[3872] C:\Windows\syswow64\KERNEL32.dll!RegQueryValueExW 0000000077331f0e 7 bytes JMP 0000000170fd3dd0 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[3872] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExW 0000000077335bad 7 bytes JMP 0000000170fd40e0 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[3872] C:\Windows\syswow64\KERNEL32.dll!RegSetValueExA 0000000077341409 7 bytes JMP 0000000170fd3f10 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[3872] C:\Windows\syswow64\KERNEL32.dll!RegDeleteValueW 000000007734ea45 7 bytes JMP 0000000170fd3dc0 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[3872] C:\Windows\syswow64\KERNEL32.dll!K32EnumProcessModulesEx 00000000773d8e24 7 bytes JMP 0000000170fd3b50 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[3872] C:\Windows\syswow64\KERNEL32.dll!K32GetModuleInformation 00000000773d8ea9 5 bytes JMP 0000000170fd3c00 .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[3872] C:\Windows\syswow64\KERNEL32.dll!K32GetMappedFileNameW 00000000773d91ff 5 bytes JMP 0000000170fd3b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077331f0e 7 bytes JMP 0000000170fd3dd0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077335bad 7 bytes JMP 0000000170fd40e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077341409 7 bytes JMP 0000000170fd3f10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007734ea45 7 bytes JMP 0000000170fd3dc0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000773d8e24 7 bytes JMP 0000000170fd3b50 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000773d8ea9 5 bytes JMP 0000000170fd3c00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000773d91ff 5 bytes JMP 0000000170fd3b60 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075601d29 5 bytes JMP 0000000170fd3b00 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075601dd7 5 bytes JMP 0000000170fd3ab0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075602ab1 5 bytes JMP 0000000170fd3c10 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075602d17 5 bytes JMP 0000000170fd3890 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076d08a29 5 bytes JMP 0000000170fd3370 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076d14572 5 bytes JMP 0000000170fd3810 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076d2e567 5 bytes JMP 0000000170fd3880 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076d507d7 5 bytes JMP 0000000170fd3280 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076d67a5c 5 bytes JMP 0000000170fd3800 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000756ce96b 5 bytes JMP 0000000170fd33e0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000756ceba5 5 bytes JMP 0000000170fd33f0 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075925ea5 5 bytes JMP 0000000170fd3320 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4028] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075959d0b 5 bytes JMP 0000000170fd32b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4744] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000777fa400 7 bytes JMP 000000016fff0228 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4744] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077803f20 5 bytes JMP 000000016fff0180 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4744] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007781ffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4744] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007782f2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4744] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077859a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4744] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778694c0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4744] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000778887e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[4968] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000777fa400 7 bytes JMP 000000016fff0228 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[4968] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077803f20 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[4968] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007781ffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[4968] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007782f2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[4968] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077859a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[4968] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778694c0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[4968] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000778887e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\kernel32.dll!RegSetValueExW 00000000777fa400 7 bytes JMP 000000016fff0228 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\kernel32.dll!RegQueryValueExW 0000000077803f20 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\kernel32.dll!RegDeleteValueW 000000007781ffb0 5 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 000000007782f2e0 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 0000000077859a30 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778694c0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\kernel32.dll!RegSetValueExA 00000000778887e0 7 bytes JMP 000000016fff01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefd7f2db0 5 bytes JMP 000007fffd7e0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefd7f37d0 7 bytes JMP 000007fffd7e00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefd7f8ef0 6 bytes JMP 000007fffd7e0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefd80af60 5 bytes JMP 000007fffd7e0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff2289f0 8 bytes JMP 000007fffd7e01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[5108] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff22be50 8 bytes JMP 000007fffd7e01b8 .text C:\Program Files (x86)\syncables\syncables desktop\syncables.exe[1148] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077331f0e 7 bytes JMP 0000000170fd3dd0 .text C:\Program Files (x86)\syncables\syncables desktop\syncables.exe[1148] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077335bad 7 bytes JMP 0000000170fd40e0 .text C:\Program Files (x86)\syncables\syncables desktop\syncables.exe[1148] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077341409 7 bytes JMP 0000000170fd3f10 .text C:\Program Files (x86)\syncables\syncables desktop\syncables.exe[1148] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007734ea45 7 bytes JMP 0000000170fd3dc0 .text C:\Program Files (x86)\syncables\syncables desktop\syncables.exe[1148] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000773d8e24 7 bytes JMP 0000000170fd3b50 .text C:\Program Files (x86)\syncables\syncables desktop\syncables.exe[1148] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000773d8ea9 5 bytes JMP 0000000170fd3c00 .text C:\Program Files (x86)\syncables\syncables desktop\syncables.exe[1148] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000773d91ff 5 bytes JMP 0000000170fd3b60 .text C:\Program Files (x86)\syncables\syncables desktop\jre\bin\javaw.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075601d29 5 bytes JMP 0000000170fd3b00 .text C:\Program Files (x86)\syncables\syncables desktop\jre\bin\javaw.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075601dd7 5 bytes JMP 0000000170fd3ab0 .text C:\Program Files (x86)\syncables\syncables desktop\jre\bin\javaw.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075602ab1 5 bytes JMP 0000000170fd3c10 .text C:\Program Files (x86)\syncables\syncables desktop\jre\bin\javaw.exe[5116] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075602d17 5 bytes JMP 0000000170fd3890 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5780] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077331f0e 7 bytes JMP 0000000170fd3dd0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5780] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077335bad 7 bytes JMP 0000000170fd40e0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5780] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000077338791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[5780] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077341409 7 bytes JMP 0000000170fd3f10 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5780] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007734ea45 7 bytes JMP 0000000170fd3dc0 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5780] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000773d8e24 7 bytes JMP 0000000170fd3b50 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5780] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000773d8ea9 5 bytes JMP 0000000170fd3c00 .text C:\Program Files\AVAST Software\Avast\avastui.exe[5780] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000773d91ff 5 bytes JMP 0000000170fd3b60 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077331f0e 7 bytes JMP 0000000170fd3dd0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077335bad 7 bytes JMP 0000000170fd40e0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077341409 7 bytes JMP 0000000170fd3f10 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007734ea45 7 bytes JMP 0000000170fd3dc0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000773d8e24 7 bytes JMP 0000000170fd3b50 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000773d8ea9 5 bytes JMP 0000000170fd3c00 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000773d91ff 5 bytes JMP 0000000170fd3b60 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075601d29 5 bytes JMP 0000000170fd3b00 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075601dd7 5 bytes JMP 0000000170fd3ab0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075602ab1 5 bytes JMP 0000000170fd3c10 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075602d17 5 bytes JMP 0000000170fd3890 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075925ea5 5 bytes JMP 0000000170fd3320 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[6292] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075959d0b 5 bytes JMP 0000000170fd32b0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[1308] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077331f0e 7 bytes JMP 0000000170fd3dd0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[1308] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077335bad 7 bytes JMP 0000000170fd40e0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[1308] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077341409 7 bytes JMP 0000000170fd3f10 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[1308] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007734ea45 7 bytes JMP 0000000170fd3dc0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[1308] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000773d8e24 7 bytes JMP 0000000170fd3b50 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[1308] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000773d8ea9 5 bytes JMP 0000000170fd3c00 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[1308] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000773d91ff 5 bytes JMP 0000000170fd3b60 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[6608] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077331f0e 7 bytes JMP 0000000170fd3dd0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[6608] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077335bad 7 bytes JMP 0000000170fd40e0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[6608] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077341409 7 bytes JMP 0000000170fd3f10 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[6608] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007734ea45 7 bytes JMP 0000000170fd3dc0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[6608] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000773d8e24 7 bytes JMP 0000000170fd3b50 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[6608] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000773d8ea9 5 bytes JMP 0000000170fd3c00 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[6608] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000773d91ff 5 bytes JMP 0000000170fd3b60 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[6572] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077331f0e 7 bytes JMP 0000000170fd3dd0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[6572] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077335bad 7 bytes JMP 0000000170fd40e0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[6572] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077341409 7 bytes JMP 0000000170fd3f10 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[6572] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007734ea45 7 bytes JMP 0000000170fd3dc0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[6572] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000773d8e24 7 bytes JMP 0000000170fd3b50 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[6572] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000773d8ea9 5 bytes JMP 0000000170fd3c00 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[6572] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000773d91ff 5 bytes JMP 0000000170fd3b60 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000077331f0e 7 bytes JMP 0000000170fd3dd0 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\kernel32.dll!RegSetValueExW 0000000077335bad 7 bytes JMP 0000000170fd40e0 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000077341409 7 bytes JMP 0000000170fd3f10 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\kernel32.dll!RegDeleteValueW 000000007734ea45 7 bytes JMP 0000000170fd3dc0 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000773d8e24 7 bytes JMP 0000000170fd3b50 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000773d8ea9 5 bytes JMP 0000000170fd3c00 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000773d91ff 5 bytes JMP 0000000170fd3b60 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000075601d29 5 bytes JMP 0000000170fd3b00 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000075601dd7 5 bytes JMP 0000000170fd3ab0 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075602ab1 5 bytes JMP 0000000170fd3c10 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000075602d17 5 bytes JMP 0000000170fd3890 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000756ce96b 5 bytes JMP 0000000170fd33e0 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000756ceba5 5 bytes JMP 0000000170fd33f0 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076d08a29 5 bytes JMP 0000000170fd3370 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesA 0000000076d14572 5 bytes JMP 0000000170fd3810 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\USER32.dll!EnumDisplayDevicesW 0000000076d2e567 5 bytes JMP 0000000170fd3880 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\USER32.dll!ChangeDisplaySettingsExW 0000000076d507d7 5 bytes JMP 0000000170fd3280 .text C:\Users\Maciek\Desktop\cm45o0hm.exe[7980] C:\Windows\syswow64\USER32.dll!DisplayConfigGetDeviceInfo 0000000076d67a5c 5 bytes JMP 0000000170fd3800 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1744] (WindowsProtectManger Service/Fuyu LIMITED)(2014-07-21 20:19:55) 0000000000ef0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f78ca8 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f78ca8@0007abc709c2 0xA3 0xBE 0xD4 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f78ca8@10683fd4a4a9 0x0A 0xF7 0x46 0x78 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f78ca8@980d2e66ea4a 0xCB 0x90 0xA7 0xAB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f78ca8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f78ca8@0007abc709c2 0xA3 0xBE 0xD4 0xB0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f78ca8@10683fd4a4a9 0x0A 0xF7 0x46 0x78 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f78ca8@980d2e66ea4a 0xCB 0x90 0xA7 0xAB ... ---- EOF - GMER 2.1 ----