GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-07 14:39:03 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SanDisk_ rev.X310 223,57GB Running: zl5u8mj8.exe; Driver: C:\Users\user\AppData\Local\Temp\uxldipow.sys ---- User code sections - GMER 2.1 ---- .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2484] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe[2484] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text C:\Program Files (x86)\Hold Page\bin\utilHoldPage.exe[3172] C:\windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text C:\Program Files (x86)\Hold Page\bin\utilHoldPage.exe[3172] C:\windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[4268] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe[4268] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text C:\Users\user\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.18.6\dsrlte.exe[5192] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text C:\Users\user\AppData\Local\Pay-By-Ads\Yahoo! Search\1.3.18.6\dsrlte.exe[5192] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5852] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe[5852] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text C:\windows\SysWOW64\RunDll32.exe[6040] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text C:\windows\SysWOW64\RunDll32.exe[6040] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text C:\Program Files (x86)\Hold Page\bin\HoldPage.BrowserAdapter.exe[1136] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text C:\Program Files (x86)\Hold Page\bin\HoldPage.BrowserAdapter.exe[1136] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text C:\Program Files (x86)\Hold Page\bin\HoldPage.expext.exe[6516] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text C:\Program Files (x86)\Hold Page\bin\HoldPage.expext.exe[6516] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text C:\Program Files (x86)\Hold Page\bin\HoldPage.BOASHelper.exe[4944] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text C:\Program Files (x86)\Hold Page\bin\HoldPage.BOASHelper.exe[4944] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text C:\Program Files (x86)\Hold Page\bin\HoldPage.BOASPRT.exe[6796] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text C:\Program Files (x86)\Hold Page\bin\HoldPage.BOASPRT.exe[6796] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text C:\Program Files (x86)\Hold Page\bin\HoldPage.BOAS.exe[3052] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text C:\Program Files (x86)\Hold Page\bin\HoldPage.BOAS.exe[3052] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007738f9e0 5 bytes JMP 00000001646aea93 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 000000007738fa28 5 bytes JMP 00000001646af0f8 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007738fa40 5 bytes JMP 00000001646ad830 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 000000007738fa90 5 bytes JMP 00000001646ad38c .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007738faa8 5 bytes JMP 00000001646ad67d .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 000000007738fb40 5 bytes JMP 00000001646af338 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007738fc38 5 bytes JMP 00000001646ba713 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007738fd4c 5 bytes JMP 00000001646ad1d4 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007738fd64 5 bytes JMP 00000001646b9d35 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007738fd98 5 bytes JMP 00000001646ba030 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007738fe44 5 bytes JMP 00000001646ae668 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007738fe5c 5 bytes JMP 00000001646b9e5e .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773900b4 5 bytes JMP 00000001646b9b7a .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000773901c4 5 bytes JMP 00000001646ad9d8 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 0000000077390754 5 bytes JMP 00000001646af3da .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000773909e4 5 bytes JMP 00000001646b9d72 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000773909fc 5 bytes JMP 00000001646acfa8 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077390a44 5 bytes JMP 00000001646adb8e .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077390b80 5 bytes JMP 00000001646ad0be .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077390f70 5 bytes JMP 00000001646ae01b .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077390f88 5 bytes JMP 00000001646ae1b7 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077391018 5 bytes JMP 00000001646af185 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077391030 5 bytes JMP 00000001646af2a8 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 0000000077391048 5 bytes JMP 00000001646af215 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007739133c 5 bytes JMP 00000001646b9f47 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007739147c 5 bytes JMP 00000001646ade8e .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077391528 5 bytes JMP 00000001646ae37b .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077391718 5 bytes JMP 00000001646add06 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077391a58 5 bytes JMP 00000001646ad535 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077391b9c 5 bytes JMP 00000001646ae4fd .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\kernel32.dll!CreateProcessW 000000007546103d 5 bytes JMP 0000000164693904 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075461072 5 bytes JMP 0000000164693d68 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075468791 5 bytes JMP 0000000162ba99c1 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007548c9b5 5 bytes JMP 0000000164693a1e .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\kernel32.dll!WinExec 00000000754e2ff1 5 bytes JMP 0000000164693c62 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075112642 5 bytes JMP 0000000164693f75 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000076939ebd 4 bytes JMP 0000000162bc99ff .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000076940afa 4 bytes JMP 0000000162bce26c .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\USER32.dll!BeginPaint 0000000076941361 5 bytes JMP 0000000162bdc8b4 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\USER32.dll!ValidateRect 0000000076947849 5 bytes JMP 0000000162d51f12 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\SHELL32.dll!SHParseDisplayName 0000000075ab7edb 5 bytes JMP 0000000162ca54dc .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!OleLoadFromStream 0000000075586143 5 bytes JMP 000000016334debe .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!CoResumeClassObjects + 7 000000007558ea09 7 bytes JMP 00000001646ce370 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!OleRun 00000000755907de 5 bytes JMP 00000001646cde9e .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!CoRegisterClassObject 00000000755921e1 5 bytes JMP 00000001646d1745 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!OleUninitialize 000000007559eba1 6 bytes JMP 00000001646cde15 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!OleInitialize 000000007559efd7 5 bytes JMP 00000001646cddcd .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!CoGetClassObject 00000000755b54ad 5 bytes JMP 00000001646cfdbb .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!CoInitializeEx 00000000755c09ad 5 bytes JMP 00000001646cdd6d .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!CoUninitialize 00000000755c86d3 5 bytes JMP 00000001646d07cf .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!CoCreateInstance 00000000755c9d0b 5 bytes JMP 00000001646d14ec .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!CoCreateInstanceEx 00000000755c9d4e 5 bytes JMP 00000001646cf3c7 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!CoSuspendClassObjects + 7 00000000755ebb09 7 bytes JMP 00000001646cdee6 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!CoRevokeClassObject 000000007560eacf 5 bytes JMP 00000001646cfa7c .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!CoGetInstanceFromFile 000000007564340b 5 bytes JMP 00000001646d08cf .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\ole32.dll!OleRegEnumFormatEtc 000000007568cfd9 5 bytes JMP 00000001646cde56 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\oleaut32.dll!SysFreeString 0000000076ee3e59 5 bytes JMP 0000000162c00b7f .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\oleaut32.dll!VariantClear 0000000076ee3eae 5 bytes JMP 0000000162c1d70c .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\oleaut32.dll!SysAllocStringByteLen 0000000076ee4731 5 bytes JMP 0000000162c68714 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\oleaut32.dll!VariantChangeType 0000000076ee5dee 5 bytes JMP 0000000162c9a6a0 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\oleaut32.dll!RegisterActiveObject 0000000076f127ce 5 bytes JMP 00000001646d03db .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\oleaut32.dll!RevokeActiveObject 0000000076f132c4 5 bytes JMP 00000001646cdd25 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\oleaut32.dll!GetActiveObject 0000000076f28f80 5 bytes JMP 00000001646d056f .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 ? C:\windows\system32\mssprxy.dll [3704] entry point in ".rdata" section 00000000653971e6 .text C:\Program Files\Microsoft Office 15\root\office15\outlook.exe[3704] C:\Program Files\Microsoft Office 15\Root\Office15\outlrpc.dll!MAPIRevokeMoniker@4 + 657 000000005ca9287c 4 bytes [59, 75, DF, 3C] .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtClose 000000007738f9e0 5 bytes JMP 000000015944ea93 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtOpenKey 000000007738fa28 5 bytes JMP 000000015944f0f8 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007738fa40 5 bytes JMP 000000015944d830 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtQueryKey 000000007738fa90 5 bytes JMP 000000015944d38c .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 000000007738faa8 5 bytes JMP 000000015944d67d .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtCreateKey 000000007738fb40 5 bytes JMP 000000015944f338 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile 000000007738fc38 5 bytes JMP 000000015945a713 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtEnumerateKey 000000007738fd4c 5 bytes JMP 000000015944d1d4 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtOpenFile 000000007738fd64 5 bytes JMP 0000000159459d35 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007738fd98 5 bytes JMP 000000015945a030 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtDuplicateObject 000000007738fe44 5 bytes JMP 000000015944e668 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 000000007738fe5c 5 bytes JMP 0000000159459e5e .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtCreateFile 00000000773900b4 5 bytes JMP 0000000159459b7a .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000773901c4 5 bytes JMP 000000015944d9d8 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtCreateKeyTransacted 0000000077390754 5 bytes JMP 000000015944f3da .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000773909e4 5 bytes JMP 0000000159459d72 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000773909fc 5 bytes JMP 000000015944cfa8 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077390a44 5 bytes JMP 000000015944db8e .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077390b80 5 bytes JMP 000000015944d0be .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077390f70 5 bytes JMP 000000015944e01b .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077390f88 5 bytes JMP 000000015944e1b7 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077391018 5 bytes JMP 000000015944f185 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransacted 0000000077391030 5 bytes JMP 000000015944f2a8 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyTransactedEx 0000000077391048 5 bytes JMP 000000015944f215 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007739133c 5 bytes JMP 0000000159459f47 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007739147c 5 bytes JMP 000000015944de8e .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077391528 5 bytes JMP 000000015944e37b .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077391718 5 bytes JMP 000000015944dd06 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077391a58 5 bytes JMP 000000015944d535 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077391b9c 5 bytes JMP 000000015944e4fd .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\syswow64\kernel32.dll!CreateProcessW 000000007546103d 5 bytes JMP 0000000159433904 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075461072 5 bytes JMP 0000000159433d68 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007548c9b5 5 bytes JMP 0000000159433a1e .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\syswow64\kernel32.dll!WinExec 00000000754e2ff1 5 bytes JMP 0000000159433c62 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000076939ebd 4 bytes JMP 0000000162bc99ff .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000076940afa 4 bytes JMP 0000000162bce26c .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\syswow64\USER32.dll!BeginPaint 0000000076941361 5 bytes JMP 0000000162bdc8b4 .text C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe[6936] C:\windows\syswow64\USER32.dll!ValidateRect 0000000076947849 5 bytes JMP 0000000162d51f12 .text C:\Users\user\Downloads\OTL.exe[8712] C:\windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000075381465 2 bytes [38, 75] .text C:\Users\user\Downloads\OTL.exe[8712] C:\windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000753814bb 2 bytes [38, 75] .text ... * 2 ---- Processes - GMER 2.1 ---- Library c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8FB2ADE5-55B1-4E31-90BA-CF34FE8C7AFC}\offreg.dll (*** suspicious ***) @ c:\Program Files\Microsoft Security Client\MsMpEng.exe [968](2015-01-07 12:30:21) 000007feeb260000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\outlook.exe [3704] 0000000062ba0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\outlook.exe [3704] 000000005d190000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\outlook.exe [3704] 000000005d070000 Library C:\Program Files (x86)\Common Files\SYSTEM\MSMAPI\1045\MSMAPI32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\outlook.exe [3704] 00000000653d0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSLID.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\outlook.exe [3704] 00000000568f0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 0000000062ba0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 000000005d190000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 000000005d070000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 0000000056210000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 000000005d020000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACECORE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 000000005cd50000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\1045\ACEWSTR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 000000005cc70000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACEES.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 000000005cbd0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\VBAJET32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 000000005cbc0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\expsrv.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 000000005cb60000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACEERR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [6936] 000000005c670000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485ab6f0a818 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485ab6f0fdcf Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485ab6f0fde7 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{663A215C-76B0-4461-9007-B44DBE603F03}@LeaseObtainedTime 1420636090 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{663A215C-76B0-4461-9007-B44DBE603F03}@T1 1420636390 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{663A215C-76B0-4461-9007-B44DBE603F03}@T2 1420636615 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{663A215C-76B0-4461-9007-B44DBE603F03}@LeaseTerminatesTime 1420636690 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485ab6f0a818 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485ab6f0fdcf (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485ab6f0fde7 (not active ControlSet) ---- EOF - GMER 2.1 ----